Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
CVE-2026-27901
Description
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sveltenpm | < 5.53.5 | 5.53.5 |
Affected products
1Patches
10df5abcae223Merge commit from fork
4 files changed · +19 −2
.changeset/bindings-xss-fix.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'svelte': patch +--- + +fix: escape `innerText` and `textContent` bindings of `contenteditable`
packages/svelte/src/compiler/phases/3-transform/server/visitors/shared/element.js+6 −2 modified@@ -123,9 +123,13 @@ export function build_element_attributes(node, context, transform) { expression = transform(expression, attribute.metadata.expression); - if (is_content_editable_binding(attribute.name)) { + if (attribute.name === 'innerHTML') { + // innerHTML is the only binding we don't escape content = expression; - } else if (attribute.name === 'value' && node.name === 'textarea') { + } else if ( + is_content_editable_binding(attribute.name) || + (attribute.name === 'value' && node.name === 'textarea') + ) { content = b.call('$.escape', expression); } else if (attribute.name === 'group' && attribute.expression.type !== 'SequenceExpression') { const value_attribute = /** @type {AST.Attribute | undefined} */ (
packages/svelte/tests/server-side-rendering/samples/contenteditable-bindings-escaped/_expected.html+1 −0 added@@ -0,0 +1 @@ +<!--[--><div contenteditable=""><script>alert('pwnd')</script></div> <div contenteditable=""><script>alert('pwnd')</script></div> <div contenteditable=""><script>alert('pwnd')</script></div><!--]--> \ No newline at end of file
packages/svelte/tests/server-side-rendering/samples/contenteditable-bindings-escaped/main.svelte+7 −0 added@@ -0,0 +1,7 @@ +<script> + let data = $state("<scri"+"pt>alert('pwnd')</scr"+"ipt>"); +</script> + +<div contenteditable bind:innerText={data}></div> +<div contenteditable bind:textContent={data}></div> +<div contenteditable bind:innerHTML={data}></div>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-phwv-c562-gvmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27901ghsaADVISORY
- github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951dghsax_refsource_MISCWEB
- github.com/sveltejs/svelte/releases/tag/svelte%405.53.5mitrex_refsource_MISC
- github.com/sveltejs/svelte/releases/tag/svelte@5.53.5ghsaWEB
- github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.