CVE-2026-27121: Svelte affected by cross-site scripting via spread attributes in Svelte SSR

February 19, 2026

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims’ browsers.

References

github.com/advisories/GHSA-f7gr-6p89-r883
github.com/sveltejs/svelte
github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883
nvd.nist.gov/vuln/detail/CVE-2026-27121

Code Behaviors & Features

Detect and mitigate CVE-2026-27121 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →