{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27901", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.718Z", "datePublished": "2026-02-26T00:57:40.269Z", "dateUpdated": "2026-02-26T14:31:00.714Z"}, "containers": {"cna": {"title": "Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh"}, {"name": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d"}, {"name": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5"}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"version": "< 5.53.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:57:40.269Z"}, "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue."}], "source": {"advisory": "GHSA-phwv-c562-gvmh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:30:46.335897Z", "id": "CVE-2026-27901", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:31:00.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:30:46.335897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:30:52.144Z"}}], "cna": {"title": "Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`", "source": {"advisory": "GHSA-phwv-c562-gvmh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"status": "affected", "version": "< 5.53.5"}]}], "references": [{"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh", "name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d", "name": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "name": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:57:40.269Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27901", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:31:00.714Z", "dateReserved": "2026-02-24T15:19:29.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T00:57:40.269Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "94559490-A41A-4BD6-8BBB-2B7DE3ED2371", "versionEndExcluding": "5.53.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:svelte:svelte:5.53.5:*:*:*:*:node.js:*:*", "matchCriteriaId": "5AA08C57-D7C4-48C9-BC0C-98B99E99E42E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue."}, {"lang": "es", "value": "Framework web Svelte orientado al rendimiento. Antes de la versi\u00f3n 5.53.5, el contenido de `bind:innerText` y `bind:textContent` en elementos `contenteditable` no se escapaba correctamente. Esto podr\u00eda permitir la inyecci\u00f3n de HTML y cross-site scripting (XSS) si se renderizaban datos no confiables como el valor inicial del enlace en el servidor. La versi\u00f3n 5.53.5 corrige el problema."}], "id": "CVE-2026-27901", "lastModified": "2026-03-05T14:49:14.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:20.967", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "svelte: Svelte: Cross-Site Scripting and HTML injection via improper escaping of bind:innerText and bind:textContent", "id": "2442918", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442918"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-27901", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Affected", "package_name": "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-02-26T00:57:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27901\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27901\nhttps://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d\nhttps://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5\nhttps://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.53.5)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "svelte", "source": "cna", "vendor": "sveltejs"}, "product": "svelte", "vendor": "svelte"}], "analysis": {"en": {"generated_at": "2026-04-17T14:34:12.632560+00:00", "value": {"mitigation_remediation": ["Upgrade the Svelte framework to version 5.53.5 or later, which provides proper escaping for the vulnerable bindings.", "Audit your codebase to locate all instances of bind:innerText or bind:textContent on contenteditable elements. Verify that the bound values do not originate from untrusted input during server\u2011side rendering.", "If an immediate upgrade is not possible, sanitize any untrusted data before assigning it as the initial value for these bindings, or avoid using contenteditable elements with these bindings in server\u2011rendered pages until the patch is applied."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of Svelte older than version 5.53.5 that render contenteditable elements with bind:innerText or bind:textContent on the server are affected. The issue applies to the sveltejs:svelte product as distributed through npm for Node.js environments.", "description_and_impact": "The vulnerability exists in the Svelte framework when rendering untrusted data as the initial value of a contenteditable element that uses bind:innerText or bind:textContent during server\u2011side rendering. Because the framework fails to escape the contents of these bindings, an attacker can inject malicious HTML, resulting in client\u2011side script execution. This is a typical web page injection flaw (CWE\u201179) that allows an attacker to run arbitrary code in the browser, steal session data, deface the page, or perform other malicious actions against users of the affected site.", "risk_and_exploitability": "The advisory assigns a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, reflecting a low but non\u2011zero likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that an attacker can supply untrusted data to the server\u2019s rendering of a contenteditable field using the affected bindings. Upon rendering, the malicious payload will execute in the victim\u2019s browser, providing typical XSS consequences."}}}}, "created": "2026-02-26T13:10:11.498953+00:00", "updated": "2026-04-17T14:45:21.024909+00:00", "vendors": ["svelte", "svelte$PRODUCT$svelte"]}