DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32732: CVE-2026-32732: Cross-Site Scripting (XSS) in @leanprover/unicode-input-component

#security #cve #cybersecurity

CVE-2026-32732: Cross-Site Scripting (XSS) in @leanprover/unicode-input-component

Vulnerability ID: CVE-2026-32732
CVSS Score: 0.0
Published: 2026-03-16

The @leanprover/unicode-input-component npm package, utilized by the Lean 4 VS Code Extension, contains a Cross-Site Scripting (XSS) vulnerability. Versions 0.1.9 and lower fail to properly neutralize script-related HTML tags during unicode abbreviation processing, leading to arbitrary JavaScript execution in the client context.

TL;DR

A CWE-80 vulnerability in @leanprover/unicode-input-component <= 0.1.9 allows XSS via unescaped DOM insertion during text rendering. Fixed in version 0.2.0 by introducing HTML entity encoding.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-80
  • Attack Vector: Network (Client-Side)
  • CVSS Score: 0.0 (Reported Placeholder)
  • EPSS Percentile: 13.35%
  • Impact: Arbitrary JavaScript Execution
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • @leanprover/unicode-input-component <= 0.1.9
  • vscode-lean4 extension
  • @leanprover/unicode-input-component: <= 0.1.9 (Fixed in: 0.2.0)

Code Analysis

Commit: 14b7a10

Fix XSS vulnerability by introducing escapeHtml function and escaping string slices during abbreviation replacement.

Exploit Details

  • Zulip Discussion: Initial report describing anomalous behavior in the Loogle searchbar caused by the XSS payload.

Mitigation Strategies

  • Upgrade @leanprover/unicode-input-component to version 0.2.0 or higher
  • Sanitize all user input prior to processing by the component using DOMPurify or a similar library
  • Temporarily substitute the component with a standard HTML input element if patching is delayed

Remediation Steps:

  1. Identify all projects utilizing @leanprover/unicode-input-component in the dependency tree
  2. Modify package.json to require version ^0.2.0
  3. Run npm install or yarn install to update the lockfile
  4. Deploy the updated application build to production environments

References

Read the full report for CVE-2026-32732 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)