CVE-2026-27121
MEDIUMsvelte < 5.51.5 - Cross-Site Scripting via Spread Syntax Attribute Rendering
Title source: llmDescription
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883
Scores
CVSS v3
5.4
EPSS
0.0001
EPSS Percentile
1.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
npm/svelte
0 - 5.51.5npm
svelte/svelte
< 5.51.5
Published
Feb 20, 2026
Tracked Since
Feb 21, 2026