Description
Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.
Published: 2026-03-13
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting in Lean 4 VS Code extension
Action: Apply Patch
AI Analysis

Impact

The vulnerability is in the @leanprover/unicode-input-component package (version 0.1.9 and earlier) used by the Lean 4 Visual Studio Code extension. The package re‑inserts user-supplied text into an input element as unescaped HTML, creating a Cross‑Site Scripting (CWE‑80) condition. An attacker could inject malicious scripts that would execute within the context of the extension.

Affected Systems

Projects that use the Lean 4 VS Code extension from vendor leanprover (product vscode‑lean4) and include the @leanprover/unicode-input-component package version 0.1.9 or older are affected. The vulnerability was fixed in component version 0.2.0.

Risk and Exploitability

The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of exploitation. The attack requires the attacker to provide malicious input to the extension’s input element, so the exploitation vector is user‑initiated input within the project environment.

Generated by OpenCVE AI on March 16, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the @leanprover/unicode‑input‑component package to version 0.2.0 or later.
  • Verify that the Lean 4 VS Code extension has been updated to include the patched component.
  • If an upgrade cannot be performed immediately, avoid using the affected component until a patch is applied.

Generated by OpenCVE AI on March 16, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6ggm-pwr9-r5h2 XSS in @leanprover/unicode-input-component
History

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Leanprover
Leanprover vscode-lean4
Vendors & Products Leanprover
Leanprover vscode-lean4

Fri, 13 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.
Title XSS in @leanprover/unicode-input-component
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Leanprover Vscode-lean4
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T20:22:43.428Z

Reserved: 2026-03-13T15:02:00.627Z

Link: CVE-2026-32732

cve-icon Vulnrichment

Updated: 2026-03-16T20:20:37.687Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:43.580

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-32732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:10Z

Weaknesses