CVE-2026-27901

Опубликовано: 26 фев. 2026

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*

Версия до 5.53.5 (исключая)

cpe:2.3:a:svelte:svelte:5.53.5:*:*:*:*:node.js:*:*

EPSS

Процентиль: 9%

0.00032

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2026-27901

CVSS3: 5.4

redhat

30 дней назад

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.

GHSA-phwv-c562-gvmh

github

29 дней назад

Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`