CVE-2026-28499: LeafKit's HTML escaping may be skipped for Collection values, enabling XSS

March 16, 2026 (updated March 18, 2026)

LeafKit HTML-escaping is not working correctly when a template prints a collection (Array / Dictionary) via #(value). This can result in XSS, allowing potentially untrusted input to be rendered unescaped.

References

github.com/advisories/GHSA-6jj5-j4j8-8473
github.com/vapor/leaf-kit
github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc
github.com/vapor/leaf-kit/releases/tag/1.14.2
github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473
nvd.nist.gov/vuln/detail/CVE-2026-28499

Detect and mitigate CVE-2026-28499 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →