GHSA-m56q-vw4c-c2cp

Source

https://github.com/advisories/GHSA-m56q-vw4c-c2cp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-m56q-vw4c-c2cp/GHSA-m56q-vw4c-c2cp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m56q-vw4c-c2cp

Aliases

CVE-2026-27122

Published

2026-02-19T15:18:42Z

Modified

2026-02-19T15:37:38.517162Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

Details

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-02-19T15:18:42Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true
}

References

Affected packages

npm / svelte

Package

Name: svelte; View open source insights on deps.dev
Purl: pkg:npm/svelte

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.51.5

Database specific

last_known_affected_version_range

"<= 5.51.4"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-m56q-vw4c-c2cp/GHSA-m56q-vw4c-c2cp.json"