Description
svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Published: 2026-02-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) in server‑side rendering
Action: Immediate Patch
AI Analysis

Impact

A flaw in Svelte’s server‑side rendering engine causes an <option> element’s content to be written without proper escaping, enabling an attacker to inject arbitrary HTML or JavaScript into the rendered page. This is a typical reflected XSS vulnerability (CWE‑79) that can compromise the confidentiality, integrity, or availability of client side code when the injection is executed in the browser.

Affected Systems

The vulnerability affects the Svelte framework for the JavaScript runtime environment, specifically versions from 5.39.3 through 5.51.4 inclusive. Svelte is used to build web applications that often rely on Node.js for server‑side rendering. The issue is present only in server‑side rendering; client‑side rendering remains unaffected.

Risk and Exploitability

According to the CVSS score of 5.1, the vulnerability has medium severity. The EPSS score of less than 1% indicates a low probability of exploitation at the current time, and it is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. However, attackers could construct malicious <option> content that is rendered during SSR, resulting in client‑side XSS if the application accepts untrusted input for option elements. The likely attack vector is a server route that renders <option> elements with data supplied by an external source without proper sanitization.

Generated by OpenCVE AI on April 17, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Svelte to version 5.51.5 or later to apply the escaping fix.
  • If an upgrade cannot be performed immediately, avoid rendering <option> elements with untrusted content on the server side; alternatively, manually escape or sanitize the option content before it is embedded in the SSR output.
  • Ensure that any user‑provided data used in <option> elements is validated on the server to prevent injection of malicious markup.

Generated by OpenCVE AI on April 17, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h7h7-mm68-gmrc Svelte affected by XSS in SSR `<option>` element
History

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte svelte
Vendors & Products Svelte
Svelte svelte

Sat, 21 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Fri, 20 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Title Svelte affected by XSS in SSR `<option>` element
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Svelte Svelte
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-23T19:42:58.320Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27119

cve-icon Vulnrichment

Updated: 2026-02-23T19:42:32.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:02.360

Modified: 2026-02-23T20:54:04.723

Link: CVE-2026-27119

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-20T22:25:42Z

Links: CVE-2026-27119 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses