Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026
Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
CVE-2026-27902
Description
Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sveltenpm | >= 5.53.0, < 5.53.5 | 5.53.5 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-qgvg-pr8v-6rr3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27902ghsaADVISORY
- github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9ghsax_refsource_MISCWEB
- github.com/sveltejs/svelte/releases/tag/svelte%405.53.5mitrex_refsource_MISC
- github.com/sveltejs/svelte/releases/tag/svelte@5.53.5ghsaWEB
- github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.