{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27119", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T18:42:27.043Z", "datePublished": "2026-02-20T22:25:42.794Z", "dateUpdated": "2026-02-23T19:42:58.320Z"}, "containers": {"cna": {"title": "Svelte affected by XSS in SSR `<option>` element", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrc"}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"version": ">= 5.39.3, < 5.51.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T22:25:42.794Z"}, "descriptions": [{"lang": "en", "value": "svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5."}], "source": {"advisory": "GHSA-h7h7-mm68-gmrc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T19:41:15.323949Z", "id": "CVE-2026-27119", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T19:42:58.320Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27119", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T19:41:15.323949Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T19:42:32.464Z"}}], "cna": {"title": "Svelte affected by XSS in SSR `<option>` element", "source": {"advisory": "GHSA-h7h7-mm68-gmrc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"status": "affected", "version": ">= 5.39.3, < 5.51.5"}]}], "references": [{"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrc", "name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T22:25:42.794Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27119", "state": "PUBLISHED", "dateUpdated": "2026-02-23T19:42:58.320Z", "dateReserved": "2026-02-17T18:42:27.043Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-20T22:25:42.794Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "03E3566B-7270-49AE-8C2E-4F39941F3D8A", "versionEndExcluding": "5.51.5", "versionStartIncluding": "5.39.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5."}], "id": "CVE-2026-27119", "lastModified": "2026-02-23T20:54:04.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T23:16:02.360", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "svelte: Svelte affected by XSS in SSR `<option>` element", "id": "2441526", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441526"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27119", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-02-20T22:25:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27119\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27119\nhttps://github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrc"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.39.3,5.51.5)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "svelte", "source": "cna", "vendor": "sveltejs"}, "product": "svelte", "vendor": "svelte"}], "analysis": {"en": {"generated_at": "2026-04-17T17:01:21.560154+00:00", "value": {"mitigation_remediation": ["Upgrade Svelte to version 5.51.5 or later to apply the escaping fix.", "If an upgrade cannot be performed immediately, avoid rendering <option> elements with untrusted content on the server side; alternatively, manually escape or sanitize the option content before it is embedded in the SSR output.", "Ensure that any user\u2011provided data used in <option> elements is validated on the server to prevent injection of malicious markup."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (XSS) in server\u2011side rendering"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Svelte framework for the JavaScript runtime environment, specifically versions from 5.39.3 through 5.51.4 inclusive. Svelte is used to build web applications that often rely on Node.js for server\u2011side rendering. The issue is present only in server\u2011side rendering; client\u2011side rendering remains unaffected.", "description_and_impact": "A flaw in Svelte\u2019s server\u2011side rendering engine causes an <option> element\u2019s content to be written without proper escaping, enabling an attacker to inject arbitrary HTML or JavaScript into the rendered page. This is a typical reflected XSS vulnerability (CWE\u201179) that can compromise the confidentiality, integrity, or availability of client side code when the injection is executed in the browser.", "risk_and_exploitability": "According to the CVSS score of 5.1, the vulnerability has medium severity. The EPSS score of less than 1% indicates a low probability of exploitation at the current time, and it is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. However, attackers could construct malicious <option> content that is rendered during SSR, resulting in client\u2011side XSS if the application accepts untrusted input for option elements. The likely attack vector is a server route that renders <option> elements with data supplied by an external source without proper sanitization."}}}}, "created": "2026-02-23T14:33:36.127179+00:00", "updated": "2026-04-17T17:15:23.710931+00:00", "vendors": ["svelte", "svelte$PRODUCT$svelte"]}