QwikSec

Security Database

CVE

CWE

Training

CVE-2026-28499

Published: Mar 18, 2026

Modified: Mar 18, 2026

PUBLISHED

Description

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.

Vendor	Product	Versions
vapor	leaf-kit	affected `< 1.14.2`

Weaknesses (CWE)

References

https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473

x_refsource_CONFIRM

https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc

x_refsource_MISC

https://github.com/vapor/leaf-kit/releases/tag/1.14.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.