CVE-2026-27122

EPSS 0.19%
Veröffentlicht 20.02.2026 22:28:37
Zuletzt bearbeitet 23.02.2026 20:53:01
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Svelte ≫ Svelte SwPlatformnode.js Version < 5.51.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.086

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	5.1	0	0	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27122

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27122

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27122

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27122