3 matches found
CVE-2021-37634
LeafKit (Leaf kit) prior to v1.3.0 is vulnerable to Cross-site Scripting (XSS) when unsanitised data is passed to variable tags due to lack of escaping. The issue stems from not escaping strings rendered as variables, allowing injected scripts into generated Leaf pages if mitigations like a CSP a...
CVE-2026-28499
LeafKit (Vapor) prior to version 1.14.2 has an HTML escaping flaw when rendering collection values (Array/Dictionary) via #(value), which can cause XSS by unescaped output. The issue is fixed in LeafKit 1.14.2. Affected tooling references include CVE-2026-28499 and related advisories (NVD, Red Ha...
CVE-2026-27120
Leaf-kit (templating library for Swift) before version 1.4.1 is vulnerable to HTML escaping bypass via extended grapheme clusters in htmlEscaped(), enabling potential XSS in attribute contexts when user-controlled variables are interpolated. The root cause is that htmlEscaped escapes only when th...