Description

Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled. This vulnerability is fixed in 1.4.1.

INFO

Published Date :

2026-02-20T21:27:09.642Z

Last Modified :

2026-02-24T18:41:10.070Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27120 vulnerability.

Vendors Products
Vapor
  • Leafkit
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27120.

URL Resource
https://github.com/vapor/leaf-kit/commit/8919e39476c3a4ba05c28b71546bb9195f87ef34 cve-icon cve-icon
https://github.com/vapor/leaf-kit/security/advisories/GHSA-4hfh-fch3-5q7p cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact