CVE-2026-27122 MEDIUM

CVE-2026-27122: Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

Vendor Sveltejs

Product svelte

Weakness CWE-79 · XSS

Published February 20, 2026

Last update February 23, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

Key dates

02Disclosure timeline

February 20, 2026 CVE published

February 23, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27122

Related vulnerabilities

CVE-2026-27122: Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

01Description

02Disclosure timeline

03References

04Related CVE