Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.5

Leanprover Unicode Input Component Allows Malicious Code Execution

GHSA-6ggm-pwr9-r5h2 CVE-2026-32732 GHSA-6ggm-pwr9-r5h2
Summary

Using a vulnerable version of the Leanprover Unicode Input Component can allow attackers to inject malicious code into your website. This can happen if you're using version 0.1.9 or earlier of the component. To fix this, update to version 0.2.0 or replace the component with a basic text field.

What to do
  • Update leanprover unicode-input-component to version 0.2.0.
  • Update leanprover @leanprover/unicode-input-component to version 0.2.0.
Affected software
VendorProductAffected versionsFix available
leanprover unicode-input-component <= 0.2.0 0.2.0
leanprover @leanprover/unicode-input-component <= 0.2.0 0.2.0
Original title
XSS in @leanprover/unicode-input-component
Original description
### Impact
Projects that use [@leanprover/unicode-input-component](https://www.npmjs.com/package/@leanprover/unicode-input-component) are vulnerable to an XSS exploit in 0.1.9 of the package and lower.
The component re-inserted text in the input element back into the input element as unescaped HTML.

### Patches
The issue has been resolved in 0.2.0.

### Workarounds
Replace the unicode input component with a basic HTML text field.
Vulnerability type
CWE-80 Basic XSS
Published: 16 Mar 2026 · Updated: 16 Mar 2026 · First seen: 16 Mar 2026