Cross-Site Scripting in Svelte Framework Affects User-Driven Attributes
CVE-2026-27121

5.1MEDIUM

Key Information:

Vendor: Sveltejs
Status: Svelte
Vendor: CVE Published:; 20 February 2026

What is CVE-2026-27121?

The Svelte framework, a performance-oriented web development tool, is exposed to a cross-site scripting (XSS) vulnerability when utilizing server-side rendering. This issue arises when developers use spread syntax to render attributes from untrusted sources. If element attributes include user-controlled data, an attacker may inject malicious event handlers into the rendered HTML output. Consequently, these event handlers can execute inside the browsers of unsuspecting users, posing a significant security risk. This vulnerability has been addressed in version 5.51.5.

Affected Version(s)

svelte < 5.51.5

References

https://github.com/sveltejs/svelte/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 17, 2026

CVE-2026-27121 Data

JSON

Sveltejs

What is CVE-2026-27121?

Affected Version(s)

References

CVSS V4

Timeline