CVE-2026-27121

State: PUBLISHED · Published: 2026-02-20 · Updated: 2026-02-23 · Assigner: GitHub_M

Description

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

CWE

CWE-79 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected

sveltejs / svelte — v=< 5.51.5 [affected]

CVSS

4.0 score=5.1 severity=MEDIUM CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883 x_refsource_CONFIRM

Source

cvelistV5-main/cves/2026/27xxx/CVE-2026-27121.json