PT-2026-22076 · Svelte · Svelte
Elliott-With-The-Longest-Name-On-Github
·
Published
2026-02-26
·
Updated
2026-03-05
·
CVE-2026-27901
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Svelte versions prior to 5.53.5
Description
Svelte, a performance-oriented web framework, had an issue where the contents of
bind:innerText and bind:textContent on contenteditable elements were not properly escaped in versions prior to 5.53.5. This could allow for HTML injection and Cross-Site Scripting (XSS) if untrusted data is rendered as the initial value of the binding on the server. The vulnerable parameters are innerText and textContent.Recommendations
Update to Svelte version 5.53.5 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Svelte