{"url":"http://public2.vulnerablecode.io/api/packages/948991?format=json","purl":"pkg:npm/svelte@5.0.0-next.183","type":"npm","namespace":"","name":"svelte","version":"5.0.0-next.183","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.53.5","latest_non_vulnerable_version":"5.55.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79976?format=json","vulnerability_id":"VCID-4hh1-vzj8-bqfy","summary":"svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27122.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27122.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27122","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01381","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27122"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441520","reference_id":"2441520","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441520"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27122","reference_id":"CVE-2026-27122","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27122"},{"reference_url":"https://github.com/advisories/GHSA-m56q-vw4c-c2cp","reference_id":"GHSA-m56q-vw4c-c2cp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m56q-vw4c-c2cp"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp","reference_id":"GHSA-m56q-vw4c-c2cp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:22:44Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39423?format=json","purl":"pkg:npm/svelte@5.51.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eub6-k2yh-suhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5"}],"aliases":["CVE-2026-27122","GHSA-m56q-vw4c-c2cp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hh1-vzj8-bqfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79781?format=json","vulnerability_id":"VCID-eub6-k2yh-suhb","summary":"Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27901.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27901.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27901","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.1042","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27901"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte@5.53.5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte@5.53.5"},{"reference_url":"https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d","reference_id":"0df5abcae223058ceb95491470372065fb87951d","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/"}],"url":"https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442918","reference_id":"2442918","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442918"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27901","reference_id":"CVE-2026-27901","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27901"},{"reference_url":"https://github.com/advisories/GHSA-phwv-c562-gvmh","reference_id":"GHSA-phwv-c562-gvmh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-phwv-c562-gvmh"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh","reference_id":"GHSA-phwv-c562-gvmh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5","reference_id":"svelte%405.53.5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/"}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39934?format=json","purl":"pkg:npm/svelte@5.53.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.53.5"}],"aliases":["CVE-2026-27901","GHSA-phwv-c562-gvmh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eub6-k2yh-suhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79864?format=json","vulnerability_id":"VCID-w8kg-2qq6-xyet","summary":"svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27121.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27121.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27121","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01418","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27121"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441532","reference_id":"2441532","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441532"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27121","reference_id":"CVE-2026-27121","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27121"},{"reference_url":"https://github.com/advisories/GHSA-f7gr-6p89-r883","reference_id":"GHSA-f7gr-6p89-r883","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f7gr-6p89-r883"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883","reference_id":"GHSA-f7gr-6p89-r883","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:31:36Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39423?format=json","purl":"pkg:npm/svelte@5.51.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eub6-k2yh-suhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5"}],"aliases":["CVE-2026-27121","GHSA-f7gr-6p89-r883"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w8kg-2qq6-xyet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80182?format=json","vulnerability_id":"VCID-x1g1-8b9m-5yhz","summary":"svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27125.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27125.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27125","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09109","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27125"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441511","reference_id":"2441511","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441511"},{"reference_url":"https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f","reference_id":"73098bb26c6f06e7fd1b0746d817d2c5ee90755f","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/"}],"url":"https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27125","reference_id":"CVE-2026-27125","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27125"},{"reference_url":"https://github.com/advisories/GHSA-crpf-4hrx-3jrp","reference_id":"GHSA-crpf-4hrx-3jrp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-crpf-4hrx-3jrp"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp","reference_id":"GHSA-crpf-4hrx-3jrp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5","reference_id":"svelte@5.51.5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/"}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39423?format=json","purl":"pkg:npm/svelte@5.51.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eub6-k2yh-suhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5"}],"aliases":["CVE-2026-27125","GHSA-crpf-4hrx-3jrp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x1g1-8b9m-5yhz"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.0.0-next.183"}