CVE-2026-27902

Опубликовано: 26 фев. 2026

Источник: redhat

CVSS3: 4.2

EPSS Низкий

Описание

Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the issue.

A cross-site scripting (XSS) vulnerability was found in Svelte’s server-side rendering (SSR) error handling. Error messages returned from the transformError function were not properly escaped before being embedded into HTML output within hydration markers. If an application returns attacker-controlled content through transformError, the content may be interpreted as HTML in the rendered page, resulting in HTML injection and potential execution of arbitrary JavaScript in a victim’s browser. Successful exploitation could allow an attacker to access sensitive information or perform actions in the context of the affected user.

Отчет

This MODERATE severity cross-site scripting (XSS) flaw in Svelte's server-side rendering (SSR) error handling allows for HTML injection. If an application utilizing Svelte's SSR returns attacker-controlled content through the transformError function, it could lead to the execution of arbitrary JavaScript in a victim's browser. This only affects applications or packages that embed or utilize Svelte in a server-side rendering context.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Build of Podman Desktop - Tech Preview	rhdesktop/rh-podman-desktop-ext-bootc-rhel10	Fix deferred
Red Hat OpenShift AI (RHOAI)	rhoai/odh-dashboard-rhel9	Out of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-79

https://bugzilla.redhat.com/show_bug.cgi?id=2442917svelte: Svelte: Cross-Site Scripting via unsanitized error output

EPSS

Процентиль: 9%

0.00032

Низкий

4.2 Medium

CVSS3

Связанные уязвимости

CVE-2026-27902

CVSS3: 5.4

nvd

30 дней назад

Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.

GHSA-qgvg-pr8v-6rr3

github

29 дней назад