Moderate severityNVD Advisory· Published Feb 20, 2026· Updated Feb 23, 2026
Svelte affected by cross-site scripting via spread attributes in Svelte SSR
CVE-2026-27121
Description
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sveltenpm | < 5.51.5 | 5.51.5 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f7gr-6p89-r883ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27121ghsaADVISORY
- github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.