Moderate severityNVD Advisory· Published Feb 20, 2026· Updated Feb 23, 2026
Svelte affected by XSS in SSR `<option>` element
CVE-2026-27119
Description
svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sveltenpm | >= 5.39.3, < 5.51.5 | 5.51.5 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-h7h7-mm68-gmrcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27119ghsaADVISORY
- github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.