Description
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the Svelte framework when rendering untrusted data as the initial value of a contenteditable element that uses bind:innerText or bind:textContent during server‑side rendering. Because the framework fails to escape the contents of these bindings, an attacker can inject malicious HTML, resulting in client‑side script execution. This is a typical web page injection flaw (CWE‑79) that allows an attacker to run arbitrary code in the browser, steal session data, deface the page, or perform other malicious actions against users of the affected site.

Affected Systems

All installations of Svelte older than version 5.53.5 that render contenteditable elements with bind:innerText or bind:textContent on the server are affected. The issue applies to the sveltejs:svelte product as distributed through npm for Node.js environments.

Risk and Exploitability

The advisory assigns a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, reflecting a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that an attacker can supply untrusted data to the server’s rendering of a contenteditable field using the affected bindings. Upon rendering, the malicious payload will execute in the victim’s browser, providing typical XSS consequences.

Generated by OpenCVE AI on April 17, 2026 at 14:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Svelte framework to version 5.53.5 or later, which provides proper escaping for the vulnerable bindings.
  • Audit your codebase to locate all instances of bind:innerText or bind:textContent on contenteditable elements. Verify that the bound values do not originate from untrusted input during server‑side rendering.
  • If an immediate upgrade is not possible, sanitize any untrusted data before assigning it as the initial value for these bindings, or avoid using contenteditable elements with these bindings in server‑rendered pages until the patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 14:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-phwv-c562-gvmh Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
History

Thu, 05 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*
cpe:2.3:a:svelte:svelte:5.53.5:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte svelte
Vendors & Products Svelte
Svelte svelte

Thu, 26 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
Title Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Svelte Svelte
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:31:00.714Z

Reserved: 2026-02-24T15:19:29.718Z

Link: CVE-2026-27901

cve-icon Vulnrichment

Updated: 2026-02-26T14:30:52.144Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:20.967

Modified: 2026-03-05T14:49:14.613

Link: CVE-2026-27901

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T00:57:40Z

Links: CVE-2026-27901 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses