Moderate severityNVD Advisory· Published Feb 20, 2026· Updated Feb 23, 2026
Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
CVE-2026-27122
Description
svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sveltenpm | < 5.51.5 | 5.51.5 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-m56q-vw4c-c2cpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27122ghsaADVISORY
- github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.