CVE-2026-27902
HTML Injection and XSS in Svelte transformError Before v
Publication date: 2026-02-26
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| svelte | svelte | From 5.53.0 (inc) to 5.53.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27902 is a moderate severity vulnerability in the Svelte web framework versions 5.53.0 through 5.53.4. The issue arises because errors generated by the `transformError` function were not properly escaped before being embedded into HTML output during server-side rendering (SSR).
This improper escaping allows an attacker to inject malicious HTML comments, which can lead to Cross-Site Scripting (XSS) attacks if the error content is attacker-controlled.
The vulnerability was fixed in version 5.53.5 by sanitizing the error data before embedding it into HTML comments, preventing malicious code execution through unsanitized error information.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can allow an attacker to perform Cross-Site Scripting (XSS) attacks by injecting malicious HTML comments into the server-side rendered output.'}, {'type': 'paragraph', 'content': 'The impact includes unauthorized disclosure of information and potential integrity compromise in subsequent systems that process or display the affected HTML.'}, {'type': 'paragraph', 'content': "While the vulnerability does not affect system availability, it can lead to confidentiality and integrity issues, potentially allowing attackers to execute malicious scripts in users' browsers."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from improper escaping of errors generated by the `transformError` function in Svelte versions prior to 5.53.5, which can lead to Cross-Site Scripting (XSS) via server-side rendered HTML comments.
To detect this vulnerability on your system, you should check the version of the Svelte package in use. Versions 5.53.0 through 5.53.4 are vulnerable, while version 5.53.5 includes the fix.
You can run commands to identify the installed Svelte version, for example:
- npm list svelte
- yarn list --pattern svelte
Additionally, to detect potential exploitation attempts, you can monitor server logs or HTTP responses for unusual HTML comments containing error messages that include suspicious sequences like `-->` or `<!--` embedded in the HTML output, which might indicate attempted XSS payloads.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Svelte package to version 5.53.5 or later, which includes a fix that properly sanitizes error data before embedding it into HTML comments during server-side rendering.
This fix involves escaping special characters such as `<` and `>` in error messages to prevent breaking out of HTML comments and executing malicious scripts.
If immediate upgrade is not possible, consider implementing additional input validation and sanitization on any user-controlled data that might be processed by `transformError` or rendered in server-side HTML comments.
Also, monitor your application for suspicious activity that might indicate exploitation attempts, such as unexpected HTML comment injections or XSS alerts.