CVE-2026-27120

Name of the Vulnerable Software and Affected Versions Leafkit versions prior to 1.4.1

Description Leafkit’s htmlEscaped function inadequately escapes HTML special characters when dealing with extended grapheme clusters. This occurs because the function only escapes characters if the extended grapheme clusters match. By utilizing an extended grapheme cluster containing both a special HTML character and additional characters, the escaping mechanism can be bypassed. Specifically, within HTML attributes, this can lead to Cross-Site Scripting (XSS) if a leaf variable in the attribute is controlled by a user. The issue stems from the way Swift handles strings based on extended grapheme clusters, differing from HTML’s character-based approach. The function replacingOccurrences(of:with:) or replacing may be affected, depending on the Swift version. The vulnerability can be exploited by crafting a malicious payload within an attribute, such as the title attribute, to inject arbitrary HTML or JavaScript code.

Recommendations Versions prior to 1.4.1 should be updated to version 1.4.1 or later.