Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/561819?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/561819?format=api", "purl": "pkg:npm/svelte@1.25.1", "type": "npm", "namespace": "", "name": "svelte", "version": "1.25.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.53.5", "latest_non_vulnerable_version": "5.55.7", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9566?format=api", "vulnerability_id": "VCID-3k3w-xf7a-gqay", "summary": "svelte: Svelte SSR does not validate dynamic element tag names in `<svelte:element>`", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27122.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27122.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27122", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01393", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27122" }, { "reference_url": "https://github.com/sveltejs/svelte", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte" }, { "reference_url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:22:44Z/" } ], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27122", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27122" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441520", "reference_id": "2441520", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441520" }, { "reference_url": "https://github.com/advisories/GHSA-m56q-vw4c-c2cp", "reference_id": "GHSA-m56q-vw4c-c2cp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m56q-vw4c-c2cp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55025?format=api", "purl": "pkg:npm/svelte@5.51.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-samz-sqnw-2kfp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5" } ], "aliases": [ "CVE-2026-27122", "GHSA-m56q-vw4c-c2cp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3k3w-xf7a-gqay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52222?format=api", "vulnerability_id": "VCID-7zr4-885u-dkf8", "summary": "Svelte vulnerable to XSS when using objects during server-side rendering\nThe package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00725", "scoring_system": "epss", "scoring_elements": "0.72894", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25875" }, { "reference_url": "https://github.com/sveltejs/svelte", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte" }, { "reference_url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907" }, { "reference_url": "https://github.com/sveltejs/svelte/pull/7530#23issuecomment-1158575990", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte/pull/7530#23issuecomment-1158575990" }, { "reference_url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25875", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25875" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080" }, { "reference_url": "https://github.com/advisories/GHSA-wv8q-r932-8hc7", "reference_id": "GHSA-wv8q-r932-8hc7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wv8q-r932-8hc7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/88594?format=api", "purl": "pkg:npm/svelte@3.49.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3k3w-xf7a-gqay" }, { "vulnerability": "VCID-8k67-yqe2-9yg8" }, { "vulnerability": "VCID-cdsp-53me-ffdr" }, { "vulnerability": "VCID-nkne-fk5k-43fv" }, { "vulnerability": "VCID-r52d-gjbx-8uhm" }, { "vulnerability": "VCID-samz-sqnw-2kfp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/svelte@3.49.0" } ], "aliases": [ "CVE-2022-25875", "GHSA-wv8q-r932-8hc7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7zr4-885u-dkf8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10879?format=api", "vulnerability_id": "VCID-8k67-yqe2-9yg8", "summary": "Svelte has a potential mXSS vulnerability due to improper HTML escaping\n### Summary\n\nA potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.\n\n### Details\n\nSvelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:\n\n- If the string is an attribute value:\n - `\"` -> `"`\n - `&` -> `&`\n - Other characters -> No conversion\n- Otherwise:\n - `<` -> `<`\n - `&` -> `&`\n - Other characters -> No conversion\n\nThe assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a `<noscript>` tag.\n\n### PoC\n\nA vulnerable page (`+page.svelte`):\n```html\n<script>\nimport { page } from \"$app/stores\"\n\n// user input\nlet href = $page.url.searchParams.get(\"href\") ?? \"https://example.com\";\n</script>\n\n<noscript>\n <a href={href}>test</a>\n</noscript>\n```\n\nIf a user accesses the following URL,\n```\nhttp://localhost:4173/?href=</noscript><script>alert(123)</script>\n```\nthen, `alert(123)` will be executed.\n\n### Impact\n\nXSS, when using an attribute within a noscript tag", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45047", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00383", "scoring_system": "epss", "scoring_elements": "0.59887", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45047" }, { "reference_url": "https://github.com/sveltejs/svelte", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte" }, { "reference_url": "https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3" }, { "reference_url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-30T18:09:31Z/" } ], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45047", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45047" }, { "reference_url": "https://github.com/advisories/GHSA-8266-84wp-wv5c", "reference_id": "GHSA-8266-84wp-wv5c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8266-84wp-wv5c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28455?format=api", "purl": "pkg:npm/svelte@4.2.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3k3w-xf7a-gqay" }, { "vulnerability": "VCID-cdsp-53me-ffdr" }, { "vulnerability": "VCID-nkne-fk5k-43fv" }, { "vulnerability": "VCID-samz-sqnw-2kfp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/svelte@4.2.19" } ], "aliases": [ "CVE-2024-45047", "GHSA-8266-84wp-wv5c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8k67-yqe2-9yg8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9565?format=api", "vulnerability_id": "VCID-cdsp-53me-ffdr", "summary": "svelte: Svelte SSR attribute spreading includes inherited properties from prototype chain", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27125.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27125.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27125", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09162", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27125" }, { "reference_url": "https://github.com/sveltejs/svelte", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte" }, { "reference_url": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/" } ], "url": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f" }, { "reference_url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/" } ], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5" }, { "reference_url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/" } ], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27125", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27125" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441511", "reference_id": "2441511", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441511" }, { "reference_url": "https://github.com/advisories/GHSA-crpf-4hrx-3jrp", "reference_id": "GHSA-crpf-4hrx-3jrp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-crpf-4hrx-3jrp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55025?format=api", "purl": "pkg:npm/svelte@5.51.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-samz-sqnw-2kfp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5" } ], "aliases": [ "CVE-2026-27125", "GHSA-crpf-4hrx-3jrp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cdsp-53me-ffdr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9568?format=api", "vulnerability_id": "VCID-nkne-fk5k-43fv", "summary": "svelte: Svelte affected by cross-site scripting via spread attributes in Svelte SSR", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27121.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27121.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27121", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01431", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27121" }, { "reference_url": "https://github.com/sveltejs/svelte", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte" }, { "reference_url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:31:36Z/" } ], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27121", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27121" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441532", "reference_id": "2441532", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441532" }, { "reference_url": "https://github.com/advisories/GHSA-f7gr-6p89-r883", "reference_id": "GHSA-f7gr-6p89-r883", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f7gr-6p89-r883" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55025?format=api", "purl": "pkg:npm/svelte@5.51.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-samz-sqnw-2kfp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5" } ], "aliases": [ "CVE-2026-27121", "GHSA-f7gr-6p89-r883" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nkne-fk5k-43fv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8828?format=api", "vulnerability_id": "VCID-samz-sqnw-2kfp", "summary": "svelte: Svelte: Cross-Site Scripting and HTML injection via improper escaping of bind:innerText and bind:textContent", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27901.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27901.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27901", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10446", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27901" }, { "reference_url": "https://github.com/sveltejs/svelte", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte" }, { "reference_url": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/" } ], "url": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d" }, { "reference_url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.53.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.53.5" }, { "reference_url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/" } ], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27901", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27901" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442918", "reference_id": "2442918", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442918" }, { "reference_url": "https://github.com/advisories/GHSA-phwv-c562-gvmh", "reference_id": "GHSA-phwv-c562-gvmh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-phwv-c562-gvmh" }, { "reference_url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "reference_id": "svelte%405.53.5", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/" } ], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55164?format=api", "purl": "pkg:npm/svelte@5.53.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.53.5" } ], "aliases": [ "CVE-2026-27901", "GHSA-phwv-c562-gvmh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-samz-sqnw-2kfp" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/svelte@1.25.1" }