XSS in Vapor Leaf-kit

CVE-2026-28499

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentiall…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (4.2th percentile) — read the EPSS interpretation.

Affected products

Weakness classification (CWE)

References