Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
CVE-2026-27901
Description
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sveltenpm | < 5.53.5 | 5.53.5 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/wolfi/langfuse-3-workerpkg:npm/svelte
< 3.163.0-r0+ 3 more
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 5.53.5
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-phwv-c562-gvmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27901ghsaADVISORY
- github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951dghsax_refsource_MISCWEB
- github.com/sveltejs/svelte/releases/tag/svelte%405.53.5mitrex_refsource_MISC
- github.com/sveltejs/svelte/releases/tag/svelte@5.53.5ghsaWEB
- github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.