CVE-2026-28499

MEDIUM

LeafKit's HTML escaping may be skipped for Collection values, enabling XSS

Title source: cna

Description

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.

References (3)

[X_Refsource_Confirm] https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473

[X_Refsource_Misc] https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/vapor/leaf-kit/releases/tag/1.14.2

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 1.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-116 CWE-80 CWE-79

Status published

Products (3)

SwiftURL/leaf-kit 0 - 1.14.2SwiftURL

vapor/leaf-kit < 1.14.2

vapor/leafkit < 1.14.2

Published Mar 18, 2026

Tracked Since Mar 18, 2026