GHSA-97r8-rf7q-wmjw: Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML

A stored cross-site scripting (XSS) vulnerability affected entry summary rendering in Sveltia CMS.

Entry summaries that allowed limited Markdown were parsed, sanitized, and then HTML entities were decoded. This order allowed specially crafted entity-encoded HTML, such as encoded tags or event handler attributes, to become active HTML after sanitization. When the resulting summary was rendered in the CMS UI, arbitrary JavaScript could execute in the browser of a user viewing the affected entry list or search result.

The practical impact is limited in currently supported Sveltia CMS usage because the CMS is intended for a single developer or a small trusted team, and open authoring / untrusted multi-user authoring is not currently implemented. Exploitation requires the ability to place malicious content into the repository or content source that the CMS loads.