VulnerableCode Package Details - pkg:npm/svelte@5.1.13

Search for packages

Vulnerability	Summary	Fixed by
VCID-4hh1-vzj8-bqfy Aliases: CVE-2026-27122 GHSA-m56q-vw4c-c2cp	svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.	5.51.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-eub6-k2yh-suhb Aliases: CVE-2026-27901 GHSA-phwv-c562-gvmh	Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.	5.53.5 Affected by 0 other vulnerabilities.
VCID-w8kg-2qq6-xyet Aliases: CVE-2026-27121 GHSA-f7gr-6p89-r883	svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.	5.51.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-x1g1-8b9m-5yhz Aliases: CVE-2026-27125 GHSA-crpf-4hrx-3jrp	svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.	5.51.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-4hh1-vzj8-bqfy
Aliases:
CVE-2026-27122
GHSA-m56q-vw4c-c2cp

svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

5.51.5
Affected by 1 other vulnerability.

VCID-eub6-k2yh-suhb
Aliases:
CVE-2026-27901
GHSA-phwv-c562-gvmh

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.

5.53.5
Affected by 0 other vulnerabilities.

VCID-w8kg-2qq6-xyet
Aliases:
CVE-2026-27121
GHSA-f7gr-6p89-r883

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

5.51.5
Affected by 1 other vulnerability.

VCID-x1g1-8b9m-5yhz
Aliases:
CVE-2026-27125
GHSA-crpf-4hrx-3jrp

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

5.51.5
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:10:21.829114+00:00	GitLab Importer	Affected by	VCID-eub6-k2yh-suhb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/svelte/CVE-2026-27901.yml	38.6.0
2026-06-12T21:01:39.875412+00:00	GitLab Importer	Affected by	VCID-w8kg-2qq6-xyet	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/svelte/CVE-2026-27121.yml	38.6.0
2026-06-12T21:01:27.591355+00:00	GitLab Importer	Affected by	VCID-4hh1-vzj8-bqfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/svelte/CVE-2026-27122.yml	38.6.0
2026-06-12T21:01:18.137410+00:00	GitLab Importer	Affected by	VCID-x1g1-8b9m-5yhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/svelte/CVE-2026-27125.yml	38.6.0