CVE-2025-27109

Name of the Vulnerable Software and Affected Versions solid-js versions prior to 1.9.4

Description The issue concerns a lack of escaping in Inserts/JSX expressions inside illegal inlined JSX fragments, allowing user input to be rendered as HTML when put directly inside JSX fragments. This can lead to XSS attacks. For example, a URL parameter like ?text=<svg/onload=alert(1)> could trigger an XSS attack. The issue has been addressed in version 1.9.4.

Recommendations To resolve the issue, upgrade to version 1.9.4 or later. As a temporary workaround, consider validating and sanitizing user input to prevent XSS attacks. Restrict access to vulnerable components until the issue is resolved.