CVE-2026-32732
Cross-Site Scripting in Lean 4 Unicode Input Component
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leanprover | unicode_input_component | to 0.2.0 (exc) |
| leanprover | unicode_input_component | 0.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32732 is a Cross-Site Scripting (XSS) vulnerability in the @leanprover/unicode-input-component used by the Lean 4 VS Code Extension. The vulnerability occurs because the component re-inserts text into an input element as unescaped HTML. Specifically, event handlers read the element's innerText (which is unescaped) and then set innerHTML with markup without properly escaping all text content. This allows an attacker to inject malicious HTML or scripts into the input element."}, {'type': 'paragraph', 'content': 'The issue affects versions 0.1.9 and lower of the package and was fixed in version 0.2.0 by ensuring all text is escaped before being assigned to innerHTML, except for specific internal underline tags.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker to perform a Cross-Site Scripting (XSS) attack by injecting malicious HTML or scripts into the input element of the unicode input component.
However, the exploit requires active user interaction and does not result in loss of confidentiality, integrity, or availability of the system or subsequent systems.
The severity is rated low with a CVSS v4 base score of 0.0, indicating limited impact beyond the potential for script injection in the user interface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects projects using the @leanprover/unicode-input-component package version 0.1.9 or lower. Detection involves identifying if this vulnerable package version is in use.
You can check the installed version of the package in your project by running the following command in your project directory:
- npm list @leanprover/unicode-input-component
If the version is 0.1.9 or lower, your system is vulnerable to this XSS issue.
Additionally, reviewing the source code or dependencies for usage of this package and verifying the version can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the @leanprover/unicode-input-component package to version 0.2.0 or later, where the vulnerability has been fixed.
If immediate updating is not possible, a temporary workaround is to replace the unicode input component with a basic HTML text field to avoid the XSS risk.
Users are strongly advised to apply the security patch included in version 0.2.0 to prevent malicious injection of arbitrary HTML or scripts.