Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Svelte: Malicious Code Injection in Error Messages
CVE-2026-27902
GHSA-qgvg-pr8v-6rr3
Summary
A Svelte application may inject and execute malicious code if an attacker can manipulate error messages. This could allow an attacker to steal sensitive information or take control of the application. To fix this issue, update Svelte to the latest version or follow the provided patch instructions.
What to do
- Update GitHub Actions svelte to version 5.53.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | svelte | > 5.53.0 , <= 5.53.5 | 5.53.5 |
| svelte | svelte | > 5.53.0 , <= 5.53.5 | – |
Original title
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
Original description
Errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`.
nvd CVSS3.1
5.4
nvd CVSS4.0
5.3
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-27902
- https://github.com/sveltejs/svelte/releases/tag/[email protected]
- https://github.com/advisories/GHSA-qgvg-pr8v-6rr3
- https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22... Patch
- https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5 Release Notes
- https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3 Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026