12 matches found
Improper Encoding or Escaping of Output
Overview vapor/leaf-kit is an an expressive, performant, and extensible templating language built for Swift. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the htmlEscaped process. An attacker can inject and execute arbitrary scripts in the context ...
CVE-2026-27120 Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character a...
CVE-2026-27120 Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character a...
CVE-2026-27120
Leaf-kit (templating library for Swift) before version 1.4.1 is vulnerable to HTML escaping bypass via extended grapheme clusters in htmlEscaped(), enabling potential XSS in attribute contexts when user-controlled variables are interpolated. The root cause is that htmlEscaped escapes only when th...
CVE-2026-27120 Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character a...
GHSA-4HFH-FCH3-5Q7P Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
Summary htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this c...
Improper Neutralization of Equivalent Special Elements
Overview vapor/leaf-kit is an an expressive, performant, and extensible templating language built for Swift. Affected versions of this package are vulnerable to Improper Neutralization of Equivalent Special Elements in the htmlEscaped function. An attacker can inject malicious HTML or JavaScript...
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
Summary htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this c...
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead ...
PT-2026-20982
Name of the Vulnerable Software and Affected Versions Leafkit versions prior to 1.4.1 Description Leafkit’s htmlEscaped function inadequately escapes HTML special characters when dealing with extended grapheme clusters. This occurs because the function only escapes characters if the extended...
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead ...
Cross-site Scripting (XSS)
Overview vapor/leaf-kit is an an expressive, performant, and extensible templating language built for Swift. Affected versions of this package are vulnerable to Cross-site Scripting XSS with untrusted user input. If an attacker managed to find a variable that was rendered with their unsanitized...