PT-2026-20881 · Svelte · Svelte
Elliott-With-The-Longest-Name-On-Github
·
Published
2026-02-19
·
Updated
2026-02-20
·
CVE-2026-27122
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Svelte versions prior to 5.51.5
Description
A flaw exists in Svelte where, during server-side rendering, the tag name provided to the
<svelte:element this={tag}> component is not validated or sanitized before being included in the HTML output. This can lead to HTML injection if the tag string contains malicious characters. Client-side rendering is not impacted by this issue. The vulnerable component is <svelte:element this={tag}>. The vulnerable variable is tag.Recommendations
Update to version 5.51.5 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Svelte