CVE-2026-27902 MEDIUM

CVE-2026-27902: Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Vendor Sveltejs

Product svelte

Weakness CWE-79 · XSS

Published February 26, 2026

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.

Key dates

02Disclosure timeline

February 26, 2026 CVE published

February 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27902 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-4175 Aureus ERP Chatter Message content-text-entry.blade.php cross site scripting CVE-2024-0948 NetBox Home Page Configuration config-revisions cross site scripting CVE-2024-37485 WordPress bbPress Notify (No-Spam) plugin <= 2.18.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2022-43578 IBM Sterling B2B Integrator Standard Edition cross-site scripting CVE-2023-5599 Stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x