CVE-2026-27121

Medium CVSS: 5.1

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

Vendor

Svelte

Product

Svelte

CWE

CWE-79

Yayın Tarihi

2026-02-20 23:16:02

Güncelleme

2026-02-23 20:53:34

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Svelte MEDIUM Svelte 2026

Referanslar

https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883

Benzer Kayıtlar

Medium

CVE-2026-30226

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the…

Medium

CVE-2026-27902

Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly esca…

Medium

CVE-2026-27901

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textConte…

Medium

CVE-2026-27119

svelte performance oriented web framework. From 5.39.3,

Medium

CVE-2026-27122

svelte performance oriented web framework. Prior to 5.51.5, when using in server-side rendering, the provided tag name…

Medium

CVE-2026-27125

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e…