CVE-2026-27119

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27119

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27119.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27119

Aliases

GHSA-h7h7-mm68-gmrc

Published

2026-02-20T22:25:42.794Z

Modified

2026-02-25T07:48:07.364433Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Svelte affected by XSS in SSR `<option>` element

Details

svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27119.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/sveltejs/svelte

Affected ranges

Type: GIT
Repo: https://github.com/sveltejs/svelte
Events: Introduced

ded13b825d7efcdf064fd65a5aa9e7e61293a48b

Fixed

8ea33bf7fe86d0d53cbe4104419cda9b4bb0442f

Affected versions

svelte@5.*

svelte@5.39.10

svelte@5.39.11

svelte@5.39.12

svelte@5.39.13

svelte@5.39.3

svelte@5.39.4

svelte@5.39.5

svelte@5.39.6

svelte@5.39.7

svelte@5.39.8

svelte@5.39.9

svelte@5.40.0

svelte@5.40.1

svelte@5.40.2

svelte@5.41.0

svelte@5.41.1

svelte@5.41.2

svelte@5.41.3

svelte@5.41.4

svelte@5.42.0

svelte@5.42.1

svelte@5.42.2

svelte@5.42.3

svelte@5.43.0

svelte@5.43.1

svelte@5.43.10

svelte@5.43.11

svelte@5.43.12

svelte@5.43.13

svelte@5.43.14

svelte@5.43.15

svelte@5.43.2

svelte@5.43.3

svelte@5.43.4

svelte@5.43.5

svelte@5.43.6

svelte@5.43.7

svelte@5.43.8

svelte@5.43.9

svelte@5.44.0

svelte@5.44.1

svelte@5.45.0

svelte@5.45.1

svelte@5.45.10

svelte@5.45.2

svelte@5.45.3

svelte@5.45.4

svelte@5.45.5

svelte@5.45.6

svelte@5.45.7

svelte@5.45.8

svelte@5.45.9

svelte@5.46.0

svelte@5.46.1

svelte@5.46.3

svelte@5.46.4

svelte@5.47.0

svelte@5.47.1

svelte@5.48.0

svelte@5.48.1

svelte@5.48.2

svelte@5.48.3

svelte@5.48.4

svelte@5.48.5

svelte@5.49.0

svelte@5.49.1

svelte@5.49.2

svelte@5.50.0

svelte@5.50.1

svelte@5.50.2

svelte@5.50.3

svelte@5.51.0

svelte@5.51.1

svelte@5.51.2

svelte@5.51.3

svelte@5.51.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27119.json"