CVE-2026-28499

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn’t work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.

More information : https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc