CVE-2026-32732
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Scripting in Lean 4 Unicode Input Component

Publication date: 2026-03-16

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32732
EUVD
EUVD-2026-12181
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
leanprover unicode_input_component to 0.2.0 (exc)
leanprover unicode_input_component 0.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32732 is a Cross-Site Scripting (XSS) vulnerability in the @leanprover/unicode-input-component used by the Lean 4 VS Code Extension. The vulnerability occurs because the component re-inserts text into an input element as unescaped HTML. Specifically, event handlers read the element's innerText (which is unescaped) and then set innerHTML with markup without properly escaping all text content. This allows an attacker to inject malicious HTML or scripts into the input element."}, {'type': 'paragraph', 'content': 'The issue affects versions 0.1.9 and lower of the package and was fixed in version 0.2.0 by ensuring all text is escaped before being assigned to innerHTML, except for specific internal underline tags.'}] [1, 2]

Impact Analysis

This vulnerability allows an attacker to perform a Cross-Site Scripting (XSS) attack by injecting malicious HTML or scripts into the input element of the unicode input component.

However, the exploit requires active user interaction and does not result in loss of confidentiality, integrity, or availability of the system or subsequent systems.

The severity is rated low with a CVSS v4 base score of 0.0, indicating limited impact beyond the potential for script injection in the user interface.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects projects using the @leanprover/unicode-input-component package version 0.1.9 or lower. Detection involves identifying if this vulnerable package version is in use.

You can check the installed version of the package in your project by running the following command in your project directory:

  • npm list @leanprover/unicode-input-component

If the version is 0.1.9 or lower, your system is vulnerable to this XSS issue.

Additionally, reviewing the source code or dependencies for usage of this package and verifying the version can help detect the vulnerability.

Mitigation Strategies

The primary mitigation step is to update the @leanprover/unicode-input-component package to version 0.2.0 or later, where the vulnerability has been fixed.

If immediate updating is not possible, a temporary workaround is to replace the unicode input component with a basic HTML text field to avoid the XSS risk.

Users are strongly advised to apply the security patch included in version 0.2.0 to prevent malicious injection of arbitrary HTML or scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart