VulnerableCode Package Details - pkg:npm/svelte@5.51.5

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1p31-6wc5-s7e9	Svelte SSR does not validate dynamic element tag names in `<svelte:element>` When using `<svelte:element this={tag}>` in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.	CVE-2026-27122 GHSA-m56q-vw4c-c2cp
VCID-4371-nuun-bybx	Svelte SSR attribute spreading includes inherited properties from prototype chain In server-side rendering, attribute spreading on elements (e.g. `<div {...attrs}>`) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where `Object.prototype` has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.	CVE-2026-27125 GHSA-crpf-4hrx-3jrp
VCID-5ehr-h8wm-nqdv	Svelte affected by XSS in SSR `<option>` element In certain circumstances, the server-side rendering output of an `<option>` element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.	CVE-2026-27119 GHSA-h7h7-mm68-gmrc
VCID-v4yv-krg8-tkhd	Svelte affected by cross-site scripting via spread attributes in Svelte SSR Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.	CVE-2026-27121 GHSA-f7gr-6p89-r883

Vulnerability

Summary

Aliases

VCID-1p31-6wc5-s7e9

Svelte SSR does not validate dynamic element tag names in `<svelte:element>` When using `<svelte:element this={tag}>` in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

CVE-2026-27122
GHSA-m56q-vw4c-c2cp

VCID-4371-nuun-bybx

Svelte SSR attribute spreading includes inherited properties from prototype chain In server-side rendering, attribute spreading on elements (e.g. `<div {...attrs}>`) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where `Object.prototype` has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

CVE-2026-27125
GHSA-crpf-4hrx-3jrp

VCID-5ehr-h8wm-nqdv

Svelte affected by XSS in SSR `<option>` element In certain circumstances, the server-side rendering output of an `<option>` element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.

CVE-2026-27119
GHSA-h7h7-mm68-gmrc

VCID-v4yv-krg8-tkhd

Svelte affected by cross-site scripting via spread attributes in Svelte SSR Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

CVE-2026-27121
GHSA-f7gr-6p89-r883

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T01:07:27.408608+00:00	GHSA Importer	Fixing	VCID-4371-nuun-bybx	https://github.com/advisories/GHSA-crpf-4hrx-3jrp	38.6.0
2026-05-31T01:07:26.942684+00:00	GHSA Importer	Fixing	VCID-1p31-6wc5-s7e9	https://github.com/advisories/GHSA-m56q-vw4c-c2cp	38.6.0
2026-05-31T01:07:26.909237+00:00	GHSA Importer	Fixing	VCID-v4yv-krg8-tkhd	https://github.com/advisories/GHSA-f7gr-6p89-r883	38.6.0
2026-05-31T01:07:26.869936+00:00	GHSA Importer	Fixing	VCID-5ehr-h8wm-nqdv	https://github.com/advisories/GHSA-h7h7-mm68-gmrc	38.6.0
2026-05-30T21:06:43.923679+00:00	GitLab Importer	Fixing	VCID-v4yv-krg8-tkhd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/svelte/CVE-2026-27121.yml	38.6.0
2026-05-30T21:06:43.406861+00:00	GitLab Importer	Fixing	VCID-5ehr-h8wm-nqdv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/svelte/CVE-2026-27119.yml	38.6.0
2026-05-30T21:06:43.281279+00:00	GitLab Importer	Fixing	VCID-1p31-6wc5-s7e9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/svelte/CVE-2026-27122.yml	38.6.0
2026-05-30T21:06:42.857154+00:00	GitLab Importer	Fixing	VCID-4371-nuun-bybx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/svelte/CVE-2026-27125.yml	38.6.0