Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
Svelte Server-Side Rendering Can Inject Malicious HTML
CVE-2026-27122
GHSA-m56q-vw4c-c2cp
Summary
Svelte's server-side rendering feature does not properly check user-inputted HTML tag names, which can allow attackers to inject malicious code into the web page. This is a concern only when using server-side rendering with Svelte. Update to the latest version of Svelte to fix the issue.
What to do
- Update GitHub Actions svelte to version 5.51.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | svelte | <= 5.51.4 | 5.51.5 |
| svelte | svelte | <= 5.51.5 | – |
Original title
Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
Original description
When using `<svelte:element this={tag}>` in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.
nvd CVSS3.1
5.4
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026