CVE-2026-27902: Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

February 26, 2026

Errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError.

References

github.com/advisories/GHSA-qgvg-pr8v-6rr3
github.com/sveltejs/svelte
github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9
github.com/sveltejs/svelte/releases/tag/svelte@5.53.5
github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3
nvd.nist.gov/vuln/detail/CVE-2026-27902

Code Behaviors & Features

Detect and mitigate CVE-2026-27902 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →