VDB

CVE-2026-27122

CVE-2026-27122 PUBLISHED CVSS 5.099999904632568 MEDIUM

svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

EPSS 0.01% · 1.4th percentile

Risk Scores

CVSS v4.0
5.099999904632568
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N
EPSS Score
0.01%
1.4th percentile

Affected Products

VendorProductVersions
sveltejssvelte< 5.51.5, < 5.51.5
sveltesvelte0, 0
npmsvelte0, 0

Timeline

  • Feb 19, 2026 CVE Published
  • Feb 21, 2026 EPSS Score
  • Feb 23, 2026 CVE Updated
  • Feb 23, 2026 EPSS Score
  • Feb 24, 2026 EPSS Score
  • Feb 26, 2026 EPSS Score
  • Feb 27, 2026 EPSS Score
  • Mar 1, 2026 EPSS Score
  • Mar 3, 2026 EPSS Score
  • Mar 4, 2026 EPSS Score
  • Mar 6, 2026 EPSS Score
  • Mar 8, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›