Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This affects the package tempura If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.