HTML Injection Vulnerability in Svelte Web Framework
CVE-2026-27902

5.3MEDIUM

Key Information:

Vendor

Sveltejs

Status
Svelte
Vendor
CVE Published:
26 February 2026

What is CVE-2026-27902?

Svelte, a performance-oriented web framework, had a vulnerability where errors from the 'transformError' function were not escaped correctly before being included in HTML outputs. This oversight raised the risk of HTML injection and XSS attacks if an attacker manipulated the content returned from 'transformError'. Users are advised to update to version 5.53.5 or above to mitigate these security risks.

Affected Version(s)

svelte >= 5.53.0, < 5.53.5

References

https://github.com/sveltejs/svelte/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/sveltejs/svelte/commit/0298e979371bb58...
x_refsource_MISC
https://github.com/sveltejs/svelte/releases/tag/svelte%40...
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.