Description
LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site Scripting
Action: Patch Now
AI Analysis

Impact

LeafKit is a templating language that, before version 1.14.2, fails to escape HTML when a template outputs a collection using #(value). This bug allows untrusted input containing malicious script or HTML to be rendered directly into the page, resulting in a Cross‑Site Scripting (XSS) vulnerability. The weakness corresponds to CWE‑79 and CWE‑80 (Cross‑site Scripting) and involves improper handling of textual content (CWE‑116).

Affected Systems

Affected systems include all installations of vapor:leaf-kit running a version earlier than 1.14.2. The vulnerability is present in all releases preceding the 1.14.2 fix, and applies to the generic cpe:2.3:a:vapor:leafkit:*:*:*:*:*:*:*:* platform. Applying the update to v1.14.2 or later resolves the issue.

Risk and Exploitability

The CVSS v3 score is 6.9, indicating medium severity. The EPSS score is below 1%, suggesting a low probability of active exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by providing crafted data to the template rendering process, typically via a web form or API that feeds untrusted values into LeafKit templates. Because the output is not encoded, injected JavaScript can execute in the context of the user’s browser, potentially leading to session hijacking or the disclosure of sensitive information.

Generated by OpenCVE AI on March 18, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LeafKit to version 1.14.2 or later.
  • Verify that all templates use the updated library and current escaping behavior.
  • If an update is not possible, sanitize collection data before passing to templates or remove raw output of collections from templates.

Generated by OpenCVE AI on March 18, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6jj5-j4j8-8473 LeafKit's HTML escaping may be skipped for Collection values, enabling XSS
History

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vapor:leafkit:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vapor
Vapor leafkit
Vendors & Products Vapor
Vapor leafkit

Wed, 18 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.
Title LeafKit's HTML escaping may be skipped for Collection values, enabling XSS
Weaknesses CWE-116
CWE-79
CWE-80
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Vapor Leafkit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T14:08:06.611Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28499

cve-icon Vulnrichment

Updated: 2026-03-18T14:07:53.751Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T02:16:24.060

Modified: 2026-03-18T19:48:35.087

Link: CVE-2026-28499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:49Z

Weaknesses