CVE-2026-27121

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*

History

17 Jun 2026, 10:26

Type	Values Removed	Values Added
Summary		(es) svelte, un framework web orientado al rendimiento. Las versiones de svelte anteriores a la 5.51.5 son vulnerables a cross-site scripting (XSS) durante la renderización del lado del servidor. Al usar la sintaxis de propagación para renderizar atributos de datos no confiables, las propiedades del gestor de eventos se incluyen en la salida HTML renderizada. Si una aplicación propaga datos controlados por el usuario o externos como atributos de elementos, un atacante puede inyectar gestores de eventos maliciosos que se ejecutan en los navegadores de las víctimas. Esta vulnerabilidad está corregida en la 5.51.5.

23 Feb 2026, 20:53

Type	Values Removed	Values Added
CPE		cpe:2.3:a:svelte:svelte::::::node.js::*
First Time		Svelte svelte Svelte
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
References	~~() https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883 -~~	() https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883 - Vendor Advisory

20 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-20 23:16

Updated : 2026-06-17 10:26

NVD link : CVE-2026-27121

Mitre link : CVE-2026-27121

CVE.ORG link : CVE-2026-27121

JSON object : View

Products Affected

svelte

svelte

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10