GHSA-h7h7-mm68-gmrc

Suggest an improvement
Source
https://github.com/advisories/GHSA-h7h7-mm68-gmrc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-h7h7-mm68-gmrc/GHSA-h7h7-mm68-gmrc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h7h7-mm68-gmrc
Aliases
Published
2026-02-19T15:18:19Z
Modified
2026-02-23T22:48:04.189023Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Svelte affected by XSS in SSR `<option>` element
Details

In certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2026-02-20T23:16:02Z",
    "github_reviewed_at": "2026-02-19T15:18:19Z"
}
References

Affected packages

npm / svelte

Package

Name
svelte
View open source insights on deps.dev
Purl
pkg:npm/svelte

Affected ranges

Type
SEMVER
Events
Introduced
5.39.3
Fixed
5.51.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-h7h7-mm68-gmrc/GHSA-h7h7-mm68-gmrc.json"