CVE-2026-27902 PUBLISHED

Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Assigner: GitHub_M
Reserved: 24.02.2026 Published: 26.02.2026 Updated: 26.02.2026

Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N
CVSS Score: 5.3

Product Status

Vendor sveltejs
Product svelte
Versions
  • Version >= 5.53.0, < 5.53.5 is affected

References

Problem Types

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE