{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27902", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.718Z", "datePublished": "2026-02-26T00:58:54.604Z", "dateUpdated": "2026-02-26T18:51:39.142Z"}, "containers": {"cna": {"title": "Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3"}, {"name": "https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9"}, {"name": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5"}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"version": ">= 5.53.0, < 5.53.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:58:54.604Z"}, "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue."}], "source": {"advisory": "GHSA-qgvg-pr8v-6rr3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T18:51:28.889254Z", "id": "CVE-2026-27902", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:51:39.142Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T18:51:28.889254Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:51:34.608Z"}}], "cna": {"title": "Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers", "source": {"advisory": "GHSA-qgvg-pr8v-6rr3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"status": "affected", "version": ">= 5.53.0, < 5.53.5"}]}], "references": [{"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3", "name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9", "name": "https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "name": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:58:54.604Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27902", "state": "PUBLISHED", "dateUpdated": "2026-02-26T18:51:39.142Z", "dateReserved": "2026-02-24T15:19:29.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T00:58:54.604Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EFAD88AD-F168-4A28-AAF0-17FBF87C580A", "versionEndExcluding": "5.53.5", "versionStartIncluding": "5.53.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue."}, {"lang": "es", "value": "Framework web Svelte orientado al rendimiento. Antes de la versi\u00f3n 5.53.5, los errores de `transformError` no se escapaban correctamente antes de ser incrustados en la salida HTML, lo que causaba una posible inyecci\u00f3n HTML y XSS si el contenido controlado por el atacante se devuelve desde `transformError`. La versi\u00f3n 5.53.5 corrige el problema."}], "id": "CVE-2026-27902", "lastModified": "2026-03-05T14:48:34.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:21.170", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "svelte: Svelte: Cross-Site Scripting via unsanitized error output", "id": "2442917", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442917"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.", "A cross-site scripting (XSS) vulnerability was found in Svelte\u2019s server-side rendering (SSR) error handling. Error messages returned from the transformError function were not properly escaped before being embedded into HTML output within hydration markers. If an application returns attacker-controlled content through transformError, the content may be interpreted as HTML in the rendered page, resulting in HTML injection and potential execution of arbitrary JavaScript in a victim\u2019s browser. Successful exploitation could allow an attacker to access sensitive information or perform actions in the context of the affected user."], "name": "CVE-2026-27902", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-02-26T00:58:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27902\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27902\nhttps://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9\nhttps://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5\nhttps://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3"], "statement": "This MODERATE severity cross-site scripting (XSS) flaw in Svelte's server-side rendering (SSR) error handling allows for HTML injection. If an application utilizing Svelte's SSR returns attacker-controlled content through the `transformError` function, it could lead to the execution of arbitrary JavaScript in a victim's browser. This only affects applications or packages that embed or utilize Svelte in a server-side rendering context.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.53.0,5.53.5)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "svelte", "source": "cna", "vendor": "sveltejs"}, "product": "svelte", "vendor": "svelte"}], "analysis": {"en": {"generated_at": "2026-04-18T19:34:18.761740+00:00", "value": {"mitigation_remediation": ["Upgrade the Svelte framework to version 5.53.5 or later to apply the core fix.", "Validate or escape any data passed to or returned from transformError so that it does not contain unescaped user input.", "If an upgrade cannot be performed immediately, implement a custom error boundary that sanitizes the error string or replace the default error boundary with a custom implementation that performs proper escaping."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any project that uses the open\u2011source Svelte framework older than version 5.53.5 is vulnerable. The product is identified as sveltejs:svelte; updating to 5.53.5 or newer eliminates the issue.", "description_and_impact": "This vulnerability exists in the Svelte framework when server\u2011side rendering errors are processed by transformError. The error string returned by transformError is inserted into the HTML output without escaping, allowing an attacker\u2011controlled string to inject malicious markup or JavaScript. The flaw is a classic XSS that falls under CWE\u201179 and can compromise the integrity and confidentiality of a user\u2019s session.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate risk, while the EPSS score of <1% suggests that a publicly available exploit is unlikely at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires an attacker to cause Svelte to surface an error containing attacker\u2011controlled content, such as by manipulating user input processed by a transformError function or by exploiting a bug that feeds unsanitized data to transformError."}}}}, "created": "2026-02-26T13:10:10.552575+00:00", "updated": "2026-04-18T19:45:08.958944+00:00", "vendors": ["svelte", "svelte$PRODUCT$svelte"]}