416 matches found
CVE-2026-27122 Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
svelte performance oriented web framework. Prior to 5.51.5, when using in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output...
CVE-2026-27122
CVE-2026-27122 affects the Svelte performance-oriented web framework. In server-side rendering, using allows an unvalidated tag name to be emitted in HTML output, enabling HTML injection. Client-side rendering is not impacted. The vulnerability is addressed by upgrading to version 5.51.5. The av...
CVE-2026-27122
svelte performance oriented web framework. Prior to 5.51.5, when using in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output...
CVE-2026-27121
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting XSS during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an...
CVE-2026-27121 Svelte affected by cross-site scripting via spread attributes in Svelte SSR
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting XSS during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an...
CVE-2026-27121
Technical details for CVE-2026-27121 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-27121 Svelte affected by cross-site scripting via spread attributes in Svelte SSR
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting XSS during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an...
CVE-2026-27119 Svelte affected by XSS in SSR `<option>` element
svelte performance oriented web framework. From 5.39.3, element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5...
CVE-2026-27119 Svelte affected by XSS in SSR `<option>` element
svelte performance oriented web framework. From 5.39.3, element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5...
CVE-2026-27119
CVE-2026-27119 affects the Svelte framework’s server-side rendering output for the element, where content may not be properly escaped in certain conditions (versions 5.39.3 through 5.51.4). This can lead to HTML injection in SSR output, while client-side rendering remains unaffected. The vulnera...
CVE-2026-27119 Svelte affected by XSS in SSR `<option>` element
svelte performance oriented web framework. From 5.39.3, element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5...
CVE-2026-27119
svelte performance oriented web framework. From 5.39.3, =5.51.4, in certain circumstances, the server-side rendering output of an element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed...
Svelte 跨站脚本漏洞
Svelte is an open-source approach to building web applications developed by Svelte. Versions of Svelte prior to 5.51.5 contained a cross-site scripting vulnerability. This vulnerability occurred when extended syntax was used during server-side rendering, and event handler properties were included...
Svelte 安全漏洞
Svelte is an open-source approach to building web applications developed by Svelte. Versions of Svelte prior to 5.51.5 have a security vulnerability. This vulnerability arises from server-side rendering, where property extensions enumerate inherited properties, which may lead to unexpected proper...
Svelte 跨站脚本漏洞
Svelte is an open-source approach to building web applications. Versions of Svelte from 5.39.3 to 5.51.4 have a cross-site scripting vulnerability. This vulnerability stems from improper escaping of content in server-side rendering outputs, which may lead to HTML injection...
Svelte 跨站脚本漏洞
Svelte is an open-source approach to building web applications developed by Svelte. Versions of Svelte prior to 5.51.5 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of validation or cleanup of tag names during server-side rendering, which could lead to...
PT-2026-21307
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker ca...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker can inject...
GHSA-CRPF-4HRX-3JRP Svelte SSR attribute spreading includes inherited properties from prototype chain
In server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpect...