GHSA-gw32-9rmw-qwww: svelte is vulnerable to XSS with textarea bind:value

January 16, 2026

A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.

References

github.com/advisories/GHSA-gw32-9rmw-qwww
github.com/sveltejs/svelte
github.com/sveltejs/svelte/commit/a31dec5eb30978cff7ff4d77f4bf316841f711bc
github.com/sveltejs/svelte/security/advisories/GHSA-gw32-9rmw-qwww

Code Behaviors & Features

Detect and mitigate GHSA-gw32-9rmw-qwww with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →