Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
Svelte SSR Option Element Vulnerable to Malicious Code Injection
CVE-2026-27119
GHSA-h7h7-mm68-gmrc
Summary
The Svelte framework's server-side rendering can inject malicious code into the HTML output of an option element. This could allow an attacker to manipulate pages and steal user data. Update to the latest version of Svelte to fix this issue.
What to do
- Update GitHub Actions svelte to version 5.51.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | svelte | > 5.39.3 , <= 5.51.5 | 5.51.5 |
| svelte | svelte | > 5.39.3 , <= 5.51.5 | – |
Original title
Svelte affected by XSS in SSR `<option>` element
Original description
In certain circumstances, the server-side rendering output of an `<option>` element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.
nvd CVSS3.1
5.4
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026