CVE-2026-27902
MEDIUMSvelte 5.53.0-5.53.5 - Cross-Site Scripting via transformError HTML Injection
Title source: llmDescription
Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3
Patch x_refsource_misc
https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9
Release Notes x_refsource_misc
https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5
Scores
CVSS v3
5.4
EPSS
0.0023
EPSS Percentile
13.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
npm/svelte
5.53.0 - 5.53.5npm
svelte/svelte
5.53.0 - 5.53.5
Published
Feb 26, 2026
Tracked Since
Feb 26, 2026