CVE-2026-27120

Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster

CVSS 6.1 MEDIUMEPSS 0.2%CWE-75 CWE-79 CWE-87

In short

Leaf-kit's HTML escaping feature fails when special characters are combined with extra Unicode characters (grapheme clusters), allowing attackers to inject malicious code into web pages. This can let hackers steal user data or take control of accounts through crafted input.

Technical detail

The htmlEscaped function in leaf-kit prior to 1.4.1 performs character-by-character comparison that fails on extended grapheme clusters, allowing bypass of HTML entity encoding. Attack vector: user-controlled input in HTML attributes processed through Leaf templates; impact: reflected XSS execution in victim browsers when attributes containing escaped variables are rendered.

Summary generated and translated by AI from the official description.

Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled. This vulnerability is fixed in 1.4.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

vapor · leaf-kit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vapor/leaf-kit/commit/8919e39476c3a4ba05c28b71546bb9195f87ef34 https://github.com/vapor/leaf-kit/security/advisories/GHSA-4hfh-fch3-5q7p