CVE-2026-27902
- Source
- https://cve.org/CVERecord?id=CVE-2026-27902
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27902.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27902
- Aliases
- Published
- 2026-02-26T00:58:54.604Z
- Modified
- 2026-03-03T02:56:47.116631Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
- Summary
- Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
- Details
-
Svelte performance oriented web framework. Prior to version 5.53.5, errors from
transformErrorwere not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned fromtransformError. Version 5.53.5 fixes the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27902.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27902.json
- https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9
- https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5
- https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3
- https://nvd.nist.gov/vuln/detail/CVE-2026-27902