GHSA-qgvg-pr8v-6rr3

Suggest an improvement
Source
https://github.com/advisories/GHSA-qgvg-pr8v-6rr3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-qgvg-pr8v-6rr3/GHSA-qgvg-pr8v-6rr3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qgvg-pr8v-6rr3
Aliases
Published
2026-02-26T22:25:45Z
Modified
2026-02-26T22:37:20.605129Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
Details

Errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2026-02-26T02:16:21Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2026-02-26T22:25:45Z",
    "github_reviewed": true
}
References

Affected packages

npm / svelte

Package

Name
svelte
View open source insights on deps.dev
Purl
pkg:npm/svelte

Affected ranges

Type
SEMVER
Events
Introduced
5.53.0
Fixed
5.53.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-qgvg-pr8v-6rr3/GHSA-qgvg-pr8v-6rr3.json"