CVE-2026-27121 MEDIUM

CVE-2026-27121: Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Vendor Sveltejs
Product svelte
Weakness CWE-79 · XSS
Published February 20, 2026
Last update February 23, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

Key dates

02Disclosure timeline

February 20, 2026 CVE published
February 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-5624 Reflected Cross-Site Scripting (XSS) in Shift Logbook application of B&R APROL CVE-2024-39655 WordPress LiquidPoll plugin <= 3.3.77 - Unauthenticated Cross Site Scripting (XSS) vulnerability CVE-2026-48222 Open ISES Tickets < 3.44.2 Reflected XSS via ics213.php frm_add_str Parameter CVE-2025-4579 WP Content Security Plugin <= 2.3 - Unauthenticated Stored Cross-Site Scripting via CSP-Report Fields CVE-2024-1024 SourceCodester Facebook News Feed Like New Account cross site scripting