CVE-2026-27122

Medium CVSS: 5.1

svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

Vendor

Svelte

Product

Svelte

CWE

CWE-79

Yayın Tarihi

2026-02-20 23:16:02

Güncelleme

2026-02-23 20:53:01

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Svelte MEDIUM Svelte 2026

Referanslar

https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp

Benzer Kayıtlar

Medium

CVE-2026-30226

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the…

Medium

CVE-2026-27902

Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly esca…

Medium

CVE-2026-27901

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textConte…

Medium

CVE-2026-27119

svelte performance oriented web framework. From 5.39.3,

Medium

CVE-2026-27121

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XS…

Medium

CVE-2026-27125

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e…