CVE-2026-27119
Received Received - Intake
HTML Injection in Svelte SSR Option Element

Publication date: 2026-02-20

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-23
Generated
2026-05-07
AI Q&A
2026-02-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27119
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
svelte svelte From 5.39.3 (inc) to 5.51.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Svelte web framework versions from 5.39.3 up to and including 5.51.4. Under certain conditions, the server-side rendering (SSR) output of an <option> HTML element does not properly escape its content. This improper escaping can lead to HTML injection in the SSR output. It is important to note that client-side rendering is not affected by this issue. The vulnerability was fixed in version 5.51.5.


How can this vulnerability impact me? :

The vulnerability can allow an attacker to inject arbitrary HTML into the server-side rendered output of a web page, specifically within <option> elements. This could potentially lead to security issues such as content spoofing or manipulation of the rendered page. However, since client-side rendering is not affected, the impact is limited to server-side rendered content. The severity score (CVSS 5.1) suggests a moderate impact.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the svelte framework to version 5.51.5 or later, where the issue with improper escaping of <option> element content in server-side rendering is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart