CVE-2026-28499

Name of the Vulnerable Software and Affected Versions LeafKit versions prior to 1.14.2

Description LeafKit is a templating language with Swift-inspired syntax. Before version 1.14.2, HTML escaping does not function correctly when a template prints a collection (Array or Dictionary) using #(value). This can lead to cross-site scripting (XSS), allowing potentially untrusted input to be rendered without proper escaping. The issue stems from the LeafData.htmlEscaped() function's implementation, which returns an unescaped self when converting Arrays and Dictionaries to strings, as their conversion to String is considered ambiguous. The vulnerability is triggered when serializing these unescaped collections, leading to unsafe serialization of each element within them. A proof of concept (PoC) demonstrates that providing malicious input within an array or dictionary can trigger XSS when rendered in a Leaf template.

Recommendations Update to LeafKit version 1.14.2 or later.