Security Advisory
CVE-2026-28499
CVE vulnerability detail — eXtreme Datacenter Security Operations
Description
LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesnt work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.