We’ve just released LeafKit 1.14.2, which addresses a security vulnerability where HTML escaping was not being applied to Leaf variable substitutions which addressed array or dictionary data. This allowed for XSS attacks if the content of such data was at least partially under user control.
Additional information is available in the security advisory.
Thanks to iCMDDev for reporting this issue!