Vulnerability Description
LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vapor | Leafkit | < 1.14.2 |
Related Weaknesses (CWE)
References
- https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dPatch
- https://github.com/vapor/leaf-kit/releases/tag/1.14.2Release Notes
- https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473ExploitVendor Advisory
- https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473ExploitVendor Advisory
FAQ
What is CVE-2026-28499?
CVE-2026-28499 is a vulnerability with a CVSS score of 6.1 (MEDIUM). LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This...
How severe is CVE-2026-28499?
CVE-2026-28499 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28499?
Check the references section above for vendor advisories and patch information. Affected products include: Vapor Leafkit.