{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32732", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.627Z", "datePublished": "2026-03-13T21:43:22.209Z", "dateUpdated": "2026-03-16T20:22:43.428Z"}, "containers": {"cna": {"title": "XSS in @leanprover/unicode-input-component", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/leanprover/vscode-lean4/security/advisories/GHSA-6ggm-pwr9-r5h2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/leanprover/vscode-lean4/security/advisories/GHSA-6ggm-pwr9-r5h2"}, {"name": "https://github.com/leanprover/vscode-lean4/pull/735", "tags": ["x_refsource_MISC"], "url": "https://github.com/leanprover/vscode-lean4/pull/735"}, {"name": "https://leanprover.zulipchat.com/#narrow/channel/113488-general/topic/weird.20behavior.20in.20loogle.20searchbar/near/578502003", "tags": ["x_refsource_MISC"], "url": "https://leanprover.zulipchat.com/#narrow/channel/113488-general/topic/weird.20behavior.20in.20loogle.20searchbar/near/578502003"}], "affected": [{"vendor": "leanprover", "product": "vscode-lean4", "versions": [{"version": "< 0.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:43:22.209Z"}, "descriptions": [{"lang": "en", "value": "Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0."}], "source": {"advisory": "GHSA-6ggm-pwr9-r5h2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T20:09:27.977368Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:22:43.428Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T20:09:27.977368Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:20:37.687Z"}}], "cna": {"title": "XSS in @leanprover/unicode-input-component", "source": {"advisory": "GHSA-6ggm-pwr9-r5h2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "leanprover", "product": "vscode-lean4", "versions": [{"status": "affected", "version": "< 0.2.0"}]}], "references": [{"url": "https://github.com/leanprover/vscode-lean4/security/advisories/GHSA-6ggm-pwr9-r5h2", "name": "https://github.com/leanprover/vscode-lean4/security/advisories/GHSA-6ggm-pwr9-r5h2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/leanprover/vscode-lean4/pull/735", "name": "https://github.com/leanprover/vscode-lean4/pull/735", "tags": ["x_refsource_MISC"]}, {"url": "https://leanprover.zulipchat.com/#narrow/channel/113488-general/topic/weird.20behavior.20in.20loogle.20searchbar/near/578502003", "name": "https://leanprover.zulipchat.com/#narrow/channel/113488-general/topic/weird.20behavior.20in.20loogle.20searchbar/near/578502003", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:43:22.209Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32732", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:22:43.428Z", "dateReserved": "2026-03-13T15:02:00.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T21:43:22.209Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0."}, {"lang": "es", "value": "La extensi\u00f3n Lean 4 VS Code es una extensi\u00f3n de Visual Studio Code para el asistente de pruebas Lean 4. Los proyectos que utilizan @leanprover/unicode-input-component son vulnerables a un exploit XSS en la versi\u00f3n 0.1.9 del paquete y anteriores. El componente reinsertaba el texto del elemento de entrada de nuevo en el mismo elemento como HTML sin escapar. El problema ha sido resuelto en la versi\u00f3n 0.2.0."}], "id": "CVE-2026-32732", "lastModified": "2026-04-16T14:57:08.337", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:43.580", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/leanprover/vscode-lean4/pull/735"}, {"source": "security-advisories@github.com", "url": "https://github.com/leanprover/vscode-lean4/security/advisories/GHSA-6ggm-pwr9-r5h2"}, {"source": "security-advisories@github.com", "url": "https://leanprover.zulipchat.com/#narrow/channel/113488-general/topic/weird.20behavior.20in.20loogle.20searchbar/near/578502003"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "vscode-lean4", "source": "cna", "vendor": "leanprover"}, "product": "vscode-lean4", "vendor": "leanprover"}], "analysis": {"en": {"generated_at": "2026-03-16T23:42:21.960537+00:00", "value": {"mitigation_remediation": ["Update the @leanprover/unicode\u2011input\u2011component package to version\u202f0.2.0 or later. ", "Verify that the Lean\u202f4 VS\u202fCode extension has been updated to include the patched component. ", "If an upgrade cannot be performed immediately, avoid using the affected component until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting in Lean\u202f4 VS\u202fCode extension"}, "threat_synthesis": {"affected_systems": "Projects that use the Lean\u202f4 VS\u202fCode extension from vendor leanprover (product vscode\u2011lean4) and include the @leanprover/unicode-input-component package version\u202f0.1.9 or older are affected. The vulnerability was fixed in component version\u202f0.2.0.", "description_and_impact": "The vulnerability is in the @leanprover/unicode-input-component package (version\u202f0.1.9 and earlier) used by the Lean\u202f4 Visual Studio Code extension. The package re\u2011inserts user-supplied text into an input element as unescaped HTML, creating a Cross\u2011Site Scripting (CWE\u201180) condition. An attacker could inject malicious scripts that would execute within the context of the extension.", "risk_and_exploitability": "The EPSS score is below\u202f1\u202f% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of exploitation. The attack requires the attacker to provide malicious input to the extension\u2019s input element, so the exploitation vector is user\u2011initiated input within the project environment."}}}}, "created": "2026-03-16T09:22:27.773423+00:00", "updated": "2026-03-23T13:39:10.875463+00:00", "vendors": ["leanprover", "leanprover$PRODUCT$vscode-lean4"]}