CVE-2026-27902

Description

Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

High

Attack Requirements

Present

Privileges Required

None

User Interaction

Passive

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

High

Integrity (Subsequent System)

High

Availability (Subsequent System)

None

Affected products

sveltejs / svelte>= 5.53.0, < 5.53.5 – >= 5.53.0, < 5.53.5

References

VENDOR_ADVISORYhttps://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3
PATCHhttps://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9
PATCHhttps://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5