CVE-2026-27901

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d	Patch
https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5	Release Notes
https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:svelte:svelte::::::node.js::*
	cpe:2.3:a:svelte:svelte:5.53.5:::::node.js::

History

05 Mar 2026, 14:49

Type	Values Removed	Values Added
First Time		Svelte svelte Svelte
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:svelte:svelte:5.53.5:::::node.js:: cpe:2.3:a:svelte:svelte::::::node.js::*
References	~~() https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d -~~	() https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d - Patch
References	~~() https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5 -~~	() https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5 - Release Notes
References	~~() https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh -~~	() https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh - Vendor Advisory
Summary		(es) Framework web Svelte orientado al rendimiento. Antes de la versión 5.53.5, el contenido de `bind:innerText` y `bind:textContent` en elementos `contenteditable` no se escapaba correctamente. Esto podría permitir la inyección de HTML y cross-site scripting (XSS) si se renderizaban datos no confiables como el valor inicial del enlace en el servidor. La versión 5.53.5 corrige el problema.

26 Feb 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-26 02:16

Updated : 2026-03-05 14:49

NVD link : CVE-2026-27901

Mitre link : CVE-2026-27901

CVE.ORG link : CVE-2026-27901

JSON object : View

Products Affected

svelte

svelte

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10