Description
Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

This vulnerability exists in the Svelte framework when server‑side rendering errors are processed by transformError. The error string returned by transformError is inserted into the HTML output without escaping, allowing an attacker‑controlled string to inject malicious markup or JavaScript. The flaw is a classic XSS that falls under CWE‑79 and can compromise the integrity and confidentiality of a user’s session.

Affected Systems

Any project that uses the open‑source Svelte framework older than version 5.53.5 is vulnerable. The product is identified as sveltejs:svelte; updating to 5.53.5 or newer eliminates the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, while the EPSS score of <1% suggests that a publicly available exploit is unlikely at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires an attacker to cause Svelte to surface an error containing attacker‑controlled content, such as by manipulating user input processed by a transformError function or by exploiting a bug that feeds unsanitized data to transformError.

Generated by OpenCVE AI on April 18, 2026 at 19:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Svelte framework to version 5.53.5 or later to apply the core fix.
  • Validate or escape any data passed to or returned from transformError so that it does not contain unescaped user input.
  • If an upgrade cannot be performed immediately, implement a custom error boundary that sanitizes the error string or replace the default error boundary with a custom implementation that performs proper escaping.

Generated by OpenCVE AI on April 18, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qgvg-pr8v-6rr3 Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
History

Thu, 05 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte svelte
Vendors & Products Svelte
Svelte svelte

Thu, 26 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.
Title Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Svelte Svelte
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T18:51:39.142Z

Reserved: 2026-02-24T15:19:29.718Z

Link: CVE-2026-27902

cve-icon Vulnrichment

Updated: 2026-02-26T18:51:34.608Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:21.170

Modified: 2026-03-05T14:48:34.240

Link: CVE-2026-27902

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T00:58:54Z

Links: CVE-2026-27902 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses