Description
Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled. This vulnerability is fixed in 1.4.1.
Published: 2026-02-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting in HTML attributes
Action: Apply patch
AI Analysis

Impact

LeafKit’s htmlEscaped function failed to escape certain characters when part of an extended grapheme cluster. This flaw permits an attacker to supply a crafted input that contains a special HTML character hidden inside a grapheme cluster, which is not escaped and can be injected into an HTML attribute. The injection can lead to client‑side cross‑site scripting (XSS) if the vulnerable variable is derived from user‑controlled data. The weakness is a form of improper escaping (CWE‑75 and CWE‑79).

Affected Systems

Vapor’s LeafKit templating library of any version prior to 1.4.1 is affected. The issue applies to all installations where the library is used to populate HTML attributes with untrusted content. The vendor is Vapor; the product is LeafKit.

Risk and Exploitability

The CVSS score of 6.1 signals a moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is client‑side; the attacker would need to influence the user‑controlled data that passes through LeafKit, typically via a form or API payload. If successful, the attacker can execute arbitrary JavaScript in the victim’s browser, compromising confidentiality, integrity, or integrity of user sessions.

Generated by OpenCVE AI on April 18, 2026 at 11:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LeafKit to version 1.4.1 or later, which contains the fix for the escaping bypass.
  • Implement a strict Content Security Policy that restricts inline script execution and limits origins to mitigate the impact of any potential XSS attacks.
  • Review all template usages where user data is inserted into HTML attributes and enforce additional sanitization or manual escaping if the data cannot be guaranteed safe.

Generated by OpenCVE AI on April 18, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4hfh-fch3-5q7p Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
History

Mon, 02 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vapor:leafkit:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vapor
Vapor leafkit
Vendors & Products Vapor
Vapor leafkit

Fri, 20 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled. This vulnerability is fixed in 1.4.1.
Title Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
Weaknesses CWE-75
CWE-79
CWE-87
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Vapor Leafkit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:41:10.070Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27120

cve-icon Vulnrichment

Updated: 2026-02-24T18:41:01.691Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T22:16:29.830

Modified: 2026-03-02T13:34:09.307

Link: CVE-2026-27120

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses