CVE-2026-27121
Cross-site scripting (XSS) vulnerability in svelte (npm)

Cross-site scripting (XSS) No known exploit

What is CVE-2026-27121 About?

This cross-site scripting (XSS) vulnerability impacts Svelte versions prior to 5.51.5 during server-side rendering. It allows attackers to inject malicious event handlers when untrusted data is spread as attributes, leading to arbitrary code execution in victims' browsers. Exploitation involves crafting specific untrusted data that gets rendered as element attributes.

Affected Software

svelte <5.51.5

Technical Details

The vulnerability occurs in Svelte's server-side rendering (SSR) when using spread syntax ({...attrs}) to render attributes from untrusted data. Specifically, if event handler properties (e.g., onclick, onerror) are present in the untrusted data, they are included in the rendered HTML output without proper sanitization. This allows an attacker to inject malicious JavaScript code via these event handler attributes. When a user's browser loads the vulnerable page, the injected event handler executes, leading to a cross-site scripting (XSS) attack. The core issue is the improper handling of inherited event handler properties during attribute spreading.

What is the Impact of CVE-2026-27121?

Successful exploitation may allow attackers to execute arbitrary script code in the context of the user's browser, enabling session hijacking, data theft, defacement, or redirection to malicious sites.

What is the Exploitability of CVE-2026-27121?

Exploitation complexity is moderate. An attacker needs to control the data used in attribute spreading ({...attrs}) within a Svelte component that undergoes server-side rendering. No explicit authentication is typically required for a remote attacker to supply untrusted data that is eventually rendered this way, but the specific vector depends on the application. The attack is remote, as it targets the server-side rendering process. A key constraint is that the vulnerability is specifically triggered during server-side rendering (SSR), client-side rendering is not affected. Risk factors increase when applications spread user-controlled or external data directly as element attributes without prior sanitization.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-27121?

Available Upgrade Options

  • svelte
    • <5.51.5 → Upgrade to 5.51.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-27121?

Similar Vulnerabilities: CVE-2023-45811 , CVE-2023-31046 , CVE-2023-28704 , CVE-2023-28706 , CVE-2023-28705

All Rights reserved 2025
Privacy Policy