Svelte Web Framework Vulnerability in Server-Side Rendering
CVE-2026-27125

5.3MEDIUM

Key Information:

Vendor

Sveltejs

Status
Svelte
Vendor
CVE Published:
20 February 2026

What is CVE-2026-27125?

The vulnerability in Svelte's server-side rendering mechanism prior to version 5.51.5 arises when attribute spreading on elements inadvertently includes inherited properties from the prototype chain. This issue occurs in scenarios where Object.prototype has been modified, leading to unexpected attributes being rendered in the output or errors during the rendering process. It is important to note that client-side rendering is not impacted by this vulnerability. The issue has been resolved in version 5.51.5.

Affected Version(s)

svelte < 5.51.5

References

https://github.com/sveltejs/svelte/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/sveltejs/svelte/commit/73098bb26c6f06e...
x_refsource_MISC
https://github.com/sveltejs/svelte/releases/tag/svelte@5....
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.