{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28499", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T20:57:47.708Z", "datePublished": "2026-03-18T01:19:36.122Z", "dateUpdated": "2026-03-18T14:08:06.611Z"}, "containers": {"cna": {"title": "LeafKit's HTML escaping may be skipped for Collection values, enabling XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473"}, {"name": "https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc", "tags": ["x_refsource_MISC"], "url": "https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc"}, {"name": "https://github.com/vapor/leaf-kit/releases/tag/1.14.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/vapor/leaf-kit/releases/tag/1.14.2"}], "affected": [{"vendor": "vapor", "product": "leaf-kit", "versions": [{"version": "< 1.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T01:19:36.122Z"}, "descriptions": [{"lang": "en", "value": "LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue."}], "source": {"advisory": "GHSA-6jj5-j4j8-8473", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:08:03.027830Z", "id": "CVE-2026-28499", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:08:06.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28499", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T14:08:03.027830Z"}}}], "references": [{"url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:07:53.751Z"}}], "cna": {"title": "LeafKit's HTML escaping may be skipped for Collection values, enabling XSS", "source": {"advisory": "GHSA-6jj5-j4j8-8473", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "vapor", "product": "leaf-kit", "versions": [{"status": "affected", "version": "< 1.14.2"}]}], "references": [{"url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473", "name": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc", "name": "https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vapor/leaf-kit/releases/tag/1.14.2", "name": "https://github.com/vapor/leaf-kit/releases/tag/1.14.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T01:19:36.122Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28499", "state": "PUBLISHED", "dateUpdated": "2026-03-18T14:08:06.611Z", "dateReserved": "2026-02-27T20:57:47.708Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T01:19:36.122Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vapor:leafkit:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8687D7A-0F30-464E-8F28-21C4B1B29F0D", "versionEndExcluding": "1.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue."}, {"lang": "es", "value": "LeafKit es un lenguaje de plantillas con sintaxis inspirada en Swift. Antes de la versi\u00f3n 1.14.2, el escape de HTML no funciona correctamente cuando una plantilla imprime una colecci\u00f3n (Array / Dictionary) a trav\u00e9s de `#(value)`. Esto puede resultar en XSS, permitiendo que la entrada potencialmente no confiable se renderice sin escape. La versi\u00f3n 1.14.2 soluciona el problema."}], "id": "CVE-2026-28499", "lastModified": "2026-03-18T19:48:35.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T02:16:24.060", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vapor/leaf-kit/releases/tag/1.14.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.14.2)"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "leaf-kit", "source": "cna", "vendor": "vapor"}, "product": "leafkit", "vendor": "vapor"}], "analysis": {"en": {"generated_at": "2026-03-18T21:22:28.640048+00:00", "value": {"mitigation_remediation": ["Upgrade LeafKit to version 1.14.2 or later.", "Verify that all templates use the updated library and current escaping behavior.", "If an update is not possible, sanitize collection data before passing to templates or remove raw output of collections from templates."], "summary": {"action": "Patch Now", "impact": "Cross-site Scripting"}, "threat_synthesis": {"affected_systems": "Affected systems include all installations of vapor:leaf-kit running a version earlier than 1.14.2. The vulnerability is present in all releases preceding the 1.14.2 fix, and applies to the generic cpe:2.3:a:vapor:leafkit:*:*:*:*:*:*:*:* platform. Applying the update to v1.14.2 or later resolves the issue.", "description_and_impact": "LeafKit is a templating language that, before version 1.14.2, fails to escape HTML when a template outputs a collection using #(value). This bug allows untrusted input containing malicious script or HTML to be rendered directly into the page, resulting in a Cross\u2011Site Scripting (XSS) vulnerability. The weakness corresponds to CWE\u201179 and CWE\u201180 (Cross\u2011site Scripting) and involves improper handling of textual content (CWE\u2011116).", "risk_and_exploitability": "The CVSS v3 score is 6.9, indicating medium severity. The EPSS score is below 1%, suggesting a low probability of active exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit the flaw by providing crafted data to the template rendering process, typically via a web form or API that feeds untrusted values into LeafKit templates. Because the output is not encoded, injected JavaScript can execute in the context of the user\u2019s browser, potentially leading to session hijacking or the disclosure of sensitive information."}}}}, "created": "2026-03-18T10:42:19.326845+00:00", "updated": "2026-03-24T10:53:49.037731+00:00", "vendors": ["vapor", "vapor$PRODUCT$leafkit"]}