CVE-2026-27901
MEDIUMSvelte < 5.53.5 - Cross-Site Scripting via contenteditable Element Binding
Title source: llmDescription
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh
Patch x_refsource_misc
https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d
Release Notes x_refsource_misc
https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5
Scores
CVSS v3
6.1
EPSS
0.0003
EPSS Percentile
10.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
npm/svelte
0 - 5.53.5npm
svelte/svelte
5.53.5
svelte/svelte
< 5.53.5
Published
Feb 26, 2026
Tracked Since
Feb 26, 2026