Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Svelte SSR Webpage Tampering with Untrusted Data
CVE-2026-27901
GHSA-phwv-c562-gvmh
Summary
If using Svelte with server-side rendering (SSR) and content editable elements, untrusted data may be injected into web pages, allowing hackers to manipulate or steal user data. This is a concern when rendering user-generated content or untrusted user input. To protect against this, ensure to properly sanitize or escape any untrusted data before rendering it.
What to do
- Update GitHub Actions svelte to version 5.53.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | svelte | <= 5.53.4 | 5.53.5 |
| svelte | svelte | <= 5.53.5 | – |
| svelte | svelte | 5.53.5 | – |
Original title
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
Original description
The contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.3
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-27901
- https://github.com/sveltejs/svelte/releases/tag/[email protected]
- https://github.com/advisories/GHSA-phwv-c562-gvmh
- https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb8795... Patch
- https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5 Release Notes
- https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026