Description

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

INFO

Published Date :

2026-02-20T22:27:36.103Z

Last Modified :

2026-02-23T19:34:18.150Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27121 vulnerability.

Vendors Products
Svelte
  • Svelte
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27121.

URL Resource
https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-27121 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-27121 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact