VYPR
Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026

Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`

CVE-2026-27901

Description

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sveltenpm
< 5.53.55.53.5

Affected products

5

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.