Skip to main content

XSS CVE-2026-28499

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-16 https://github.com/vapor/leaf-kit
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 17:20 vuln.today
Patch released
Mar 16, 2026 - 17:20 nvd
Patch available
CVE Published
Mar 16, 2026 - 16:22 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Summary

LeafKit HTML-escaping is not working correctly when a template prints a collection (Array / Dictionary) via #(value). This can result in XSS, allowing potentially untrusted input to be rendered unescaped.

Details

LeafKit attempts to escape expressions during serialization, but due to LeafData.htmlEscaped()'s implementation, when the escaped type's conversion to String is marked as .ambiguous (as it is the case for Arrays and Dictionaries), an unescaped self is returned.

> Note: I recommend first looking at the POC, before taking a look at the details below, as it is simple. In the detailed, verbose analysis below, I explored the functions involved in more detail, in hopes that it will help you understand and locate this issue.

The issue's detailed analysis:
  1. Leaf expression serialization eventually reaches LeafSerializer's serialize private function below. This is where the leafData is .htmlEscaped(), and then serialized.

https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafSerialize/LeafSerializer.swift#L60-L66

  1. The LeafData.htmlEscaped() method uses the LeafData.string computed property to convert itself to a string. Then, it calls the htmlEscaped() method on it. However, if the string conversion fails, notice that an unescaped, unsafe self is returned (line 324 below):

https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L321-L328

  1. Regarding why .string may return nil, if the escaped value is not a string already, a convesion is attempted, which may fail.

https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L211-L216

In this specific case, the conversion fails at line 303 below, when conversion.is >= level is checked. The check fails because .array and .dictionary conversions to .string are deemed .ambiguous. If we forcefully allow ambiguous conversions, the vulnerability disappears, as the conversion is successful.

https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L295-L319

  1. Coming back to LeafSerializer's serialize private method, we are now interested in finding out what happens after LeafData.htmlEscaped() returns self. Recall from 1. that the output was then .serialized(). Thus, the unescaped LeafData follows the normal serialization path, as if it were HTML-escaped. More specifically, serialization is done here, where .map / .mapValues is called, unsafely serializing each element of the dictionary.

PoC

<!-- _Complete instructions, including specific configuration details, to reproduce the vulnerability._ -->

In a new Vapor project created with vapor new poc -n --leaf, use a simple leaf template like the following:

html
<!doctype html>
<html>
    <body>
    <h1>#(username)</h1>
      <h2>someDict:</h2>
      <p>#(someDict)</p>
  </body>
</html>

And the following routes.swift:

swift
import Vapor

struct User: Encodable {
    var username: String
    var someDict: [String: String]
}

func routes(_ app: Application) throws {
    app.get { req async throws in
        try await req.view.render("index", User(
            username: "Escaped XSS - <img src=x onerror=alert(1)>",
            someDict: ["<img src=x onerror=alert(1337)>":"<img src=x onerror=alert(31337)>"]
        ))
    }
}

By running and accessing the server in a browser, XSS should be triggered twice (with alert(1337) and alert(31337)). var someDict: [String: String] could also be replaced with an array / dictionary of a different type, such as another Encodable stuct.

Also note that, in a real concerning scenario, the array / dictionary would contain (i.e. reflect) data inputted by the user.

Impact

This is a cross-site scripting (XSS) vulnerability in rendered Leaf templates. Vapor/Leaf applications that render user-controlled data inside arrays or dictionaries using #(value) may be impacted.

AnalysisAI

LeafKit's HTML escaping mechanism fails to properly sanitize arrays and dictionaries when rendered via templates, enabling cross-site scripting (XSS) attacks where untrusted data is output unescaped. Applications using LeafKit templates to display user-controlled collections are vulnerable to arbitrary JavaScript execution in user browsers. A patch is available to address this vulnerability.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Share

CVE-2026-28499 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy