Login Sign Up

CVE-2026-27901

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability in Svelte web framework allows HTML injection and Cross-Site Scripting (XSS) when using bind:innerText or bind:textContent on contenteditable elements with untrusted data. It affects applications that render untrusted data as initial binding values on the server. Developers using Svelte versions before 5.53.5 are impacted.

💻 Affected Systems

Products:
  • Svelte
Versions: All versions prior to 5.53.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using bind:innerText or bind:textContent on contenteditable elements with untrusted initial values rendered server-side.

📦 What is this software?

Svelte by Svelte

View all CVEs affecting Svelte →

Svelte by Svelte

View all CVEs affecting Svelte →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full XSS exploitation allowing attackers to steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Limited XSS attacks targeting specific users who interact with contenteditable elements containing malicious payloads.

🟢

If Mitigated

No impact if proper input validation and output encoding are implemented, or if no untrusted data is bound to these elements.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction with vulnerable contenteditable elements containing malicious payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.53.5

Vendor Advisory: https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh

Restart Required: No

Instructions:

1. Update Svelte dependency to version 5.53.5 or later. 2. Run npm update svelte or yarn upgrade svelte. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Manual Input Sanitization

all

Manually sanitize all data bound to bind:innerText and bind:textContent on contenteditable elements before rendering.

Avoid Untrusted Data Binding

all

Do not bind untrusted data to bind:innerText or bind:textContent on contenteditable elements.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
  • Use client-side rendering only for affected components to avoid server-side injection

🔍 How to Verify

Check if Vulnerable:

Check package.json for Svelte version below 5.53.5 and review code for bind:innerText or bind:textContent usage on contenteditable elements.

Check Version:

npm list svelte or check package.json

Verify Fix Applied:

Verify Svelte version is 5.53.5 or higher in package.json and test that contenteditable elements properly escape HTML.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML patterns in contenteditable element data
  • XSS payload patterns in request logs

Network Indicators:

  • Suspicious script tags in HTTP responses for contenteditable elements

SIEM Query:

Search for patterns like <script> or javascript: in requests targeting endpoints that render contenteditable elements

📊 Metadata

CVE ID: CVE-2026-27901
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: February 26, 2026
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27901, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)