CVE-2026-27122: Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

February 19, 2026

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

References

github.com/advisories/GHSA-m56q-vw4c-c2cp
github.com/sveltejs/svelte
github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp
nvd.nist.gov/vuln/detail/CVE-2026-27122

Code Behaviors & Features

Detect and mitigate CVE-2026-27122 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →