{"url":"http://public2.vulnerablecode.io/api/packages/561771?format=json","purl":"pkg:npm/svelte@1.10.1","type":"npm","namespace":"","name":"svelte","version":"1.10.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.53.5","latest_non_vulnerable_version":"5.55.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9566?format=json","vulnerability_id":"VCID-3k3w-xf7a-gqay","summary":"svelte: Svelte SSR does not validate dynamic element tag names in `<svelte:element>`","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27122.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27122.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27122","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01393","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27122"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:22:44Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27122","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27122"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441520","reference_id":"2441520","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441520"},{"reference_url":"https://github.com/advisories/GHSA-m56q-vw4c-c2cp","reference_id":"GHSA-m56q-vw4c-c2cp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m56q-vw4c-c2cp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55025?format=json","purl":"pkg:npm/svelte@5.51.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-samz-sqnw-2kfp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5"}],"aliases":["CVE-2026-27122","GHSA-m56q-vw4c-c2cp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3k3w-xf7a-gqay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52222?format=json","vulnerability_id":"VCID-7zr4-885u-dkf8","summary":"Svelte vulnerable to XSS when using objects during server-side rendering\nThe package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25875","reference_id":"","reference_type":"","scores":[{"value":"0.00725","scoring_system":"epss","scoring_elements":"0.72894","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25875"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"},{"reference_url":"https://github.com/sveltejs/svelte/pull/7530#23issuecomment-1158575990","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte/pull/7530#23issuecomment-1158575990"},{"reference_url":"https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25875","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25875"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-SVELTE-2931080","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"},{"reference_url":"https://github.com/advisories/GHSA-wv8q-r932-8hc7","reference_id":"GHSA-wv8q-r932-8hc7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wv8q-r932-8hc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/88594?format=json","purl":"pkg:npm/svelte@3.49.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k3w-xf7a-gqay"},{"vulnerability":"VCID-8k67-yqe2-9yg8"},{"vulnerability":"VCID-cdsp-53me-ffdr"},{"vulnerability":"VCID-nkne-fk5k-43fv"},{"vulnerability":"VCID-r52d-gjbx-8uhm"},{"vulnerability":"VCID-samz-sqnw-2kfp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@3.49.0"}],"aliases":["CVE-2022-25875","GHSA-wv8q-r932-8hc7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7zr4-885u-dkf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10879?format=json","vulnerability_id":"VCID-8k67-yqe2-9yg8","summary":"Svelte has a potential mXSS vulnerability due to improper HTML escaping\n### Summary\n\nA potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.\n\n### Details\n\nSvelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:\n\n- If the string is an attribute value:\n    - `\"` -> `&quot;`\n    - `&` -> `&amp;`\n    - Other characters -> No conversion\n- Otherwise:\n    - `<` -> `&lt;`\n    - `&` -> `&amp;`\n    - Other characters -> No conversion\n\nThe assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a `<noscript>` tag.\n\n### PoC\n\nA vulnerable page (`+page.svelte`):\n```html\n<script>\nimport { page } from \"$app/stores\"\n\n// user input\nlet href = $page.url.searchParams.get(\"href\") ?? \"https://example.com\";\n</script>\n\n<noscript>\n  <a href={href}>test</a>\n</noscript>\n```\n\nIf a user accesses the following URL,\n```\nhttp://localhost:4173/?href=</noscript><script>alert(123)</script>\n```\nthen, `alert(123)` will be executed.\n\n### Impact\n\nXSS, when using an attribute within a noscript tag","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45047","reference_id":"","reference_type":"","scores":[{"value":"0.00383","scoring_system":"epss","scoring_elements":"0.59887","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45047"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-30T18:09:31Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45047","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45047"},{"reference_url":"https://github.com/advisories/GHSA-8266-84wp-wv5c","reference_id":"GHSA-8266-84wp-wv5c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8266-84wp-wv5c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28455?format=json","purl":"pkg:npm/svelte@4.2.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k3w-xf7a-gqay"},{"vulnerability":"VCID-cdsp-53me-ffdr"},{"vulnerability":"VCID-nkne-fk5k-43fv"},{"vulnerability":"VCID-samz-sqnw-2kfp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@4.2.19"}],"aliases":["CVE-2024-45047","GHSA-8266-84wp-wv5c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8k67-yqe2-9yg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9565?format=json","vulnerability_id":"VCID-cdsp-53me-ffdr","summary":"svelte: Svelte SSR attribute spreading includes inherited properties from prototype chain","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27125.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27125.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27125","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09162","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27125"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/"}],"url":"https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/"}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27125","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27125"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441511","reference_id":"2441511","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441511"},{"reference_url":"https://github.com/advisories/GHSA-crpf-4hrx-3jrp","reference_id":"GHSA-crpf-4hrx-3jrp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-crpf-4hrx-3jrp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55025?format=json","purl":"pkg:npm/svelte@5.51.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-samz-sqnw-2kfp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5"}],"aliases":["CVE-2026-27125","GHSA-crpf-4hrx-3jrp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cdsp-53me-ffdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9568?format=json","vulnerability_id":"VCID-nkne-fk5k-43fv","summary":"svelte: Svelte affected by cross-site scripting via spread attributes in Svelte SSR","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27121.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27121.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27121","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01431","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27121"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:31:36Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27121","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27121"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441532","reference_id":"2441532","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441532"},{"reference_url":"https://github.com/advisories/GHSA-f7gr-6p89-r883","reference_id":"GHSA-f7gr-6p89-r883","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f7gr-6p89-r883"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55025?format=json","purl":"pkg:npm/svelte@5.51.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-samz-sqnw-2kfp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5"}],"aliases":["CVE-2026-27121","GHSA-f7gr-6p89-r883"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nkne-fk5k-43fv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8828?format=json","vulnerability_id":"VCID-samz-sqnw-2kfp","summary":"svelte: Svelte: Cross-Site Scripting and HTML injection via improper escaping of bind:innerText and bind:textContent","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27901.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27901.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27901","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10446","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27901"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/"}],"url":"https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte@5.53.5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte@5.53.5"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27901","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27901"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442918","reference_id":"2442918","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442918"},{"reference_url":"https://github.com/advisories/GHSA-phwv-c562-gvmh","reference_id":"GHSA-phwv-c562-gvmh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-phwv-c562-gvmh"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5","reference_id":"svelte%405.53.5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/"}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55164?format=json","purl":"pkg:npm/svelte@5.53.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.53.5"}],"aliases":["CVE-2026-27901","GHSA-phwv-c562-gvmh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-samz-sqnw-2kfp"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@1.10.1"}