CVE-2026-32732

Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/leanprover/vscode-lean4/pull/735
https://github.com/leanprover/vscode-lean4/security/advisories/GHSA-6ggm-pwr9-r5h2
https://leanprover.zulipchat.com/#narrow/channel/113488-general/topic/weird.20behavior.20in.20loogle.20searchbar/near/578502003

Configurations

No configuration.

History

16 Apr 2026, 14:57

Type	Values Removed	Values Added
Summary		(es) La extensión Lean 4 VS Code es una extensión de Visual Studio Code para el asistente de pruebas Lean 4. Los proyectos que utilizan @leanprover/unicode-input-component son vulnerables a un exploit XSS en la versión 0.1.9 del paquete y anteriores. El componente reinsertaba el texto del elemento de entrada de nuevo en el mismo elemento como HTML sin escapar. El problema ha sido resuelto en la versión 0.2.0.

16 Mar 2026, 14:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 14:19

Updated : 2026-04-16 14:57

NVD link : CVE-2026-32732

Mitre link : CVE-2026-32732

CVE.ORG link : CVE-2026-32732

JSON object : View

Products Affected

No product.

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

{"id": "CVE-2026-32732", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 0.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-16T14:19:43.580", "references": [{"url": "https://github.com/leanprover/vscode-lean4/pull/735", "source": "security-advisories@github.com"}, {"url": "https://github.com/leanprover/vscode-lean4/security/advisories/GHSA-6ggm-pwr9-r5h2", "source": "security-advisories@github.com"}, {"url": "https://leanprover.zulipchat.com/#narrow/channel/113488-general/topic/weird.20behavior.20in.20loogle.20searchbar/near/578502003", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0."}, {"lang": "es", "value": "La extensi\u00f3n Lean 4 VS Code es una extensi\u00f3n de Visual Studio Code para el asistente de pruebas Lean 4. Los proyectos que utilizan @leanprover/unicode-input-component son vulnerables a un exploit XSS en la versi\u00f3n 0.1.9 del paquete y anteriores. El componente reinsertaba el texto del elemento de entrada de nuevo en el mismo elemento como HTML sin escapar. El problema ha sido resuelto en la versi\u00f3n 0.2.0."}], "lastModified": "2026-04-16T14:57:08.337", "sourceIdentifier": "security-advisories@github.com"}