Paolo Ricciuti

1 exploit Active since Feb 2026
CVE-2026-27901 WRITEUP MEDIUM WRITEUP
Svelte < 5.53.5 - Cross-Site Scripting via contenteditable Element Binding
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
CVSS 6.1