CVE-2026-27121 | THREATINT

Description

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

PUBLISHED Reserved 2026-02-17 | Published 2026-02-20 | Updated 2026-02-23 | Assigner GitHub_M

MEDIUM: 5.1CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 5.51.5

affected

References

github.com/...svelte/security/advisories/GHSA-f7gr-6p89-r883

cve.org (CVE-2026-27121)

nvd.nist.gov (CVE-2026-27121)

Download JSON