{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27901", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.718Z", "datePublished": "2026-02-26T00:57:40.269Z", "dateUpdated": "2026-02-26T14:31:00.714Z"}, "containers": {"cna": {"title": "Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh"}, {"name": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d"}, {"name": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5"}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"version": "< 5.53.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:57:40.269Z"}, "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue."}], "source": {"advisory": "GHSA-phwv-c562-gvmh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:30:46.335897Z", "id": "CVE-2026-27901", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:31:00.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:30:46.335897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:30:52.144Z"}}], "cna": {"title": "Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`", "source": {"advisory": "GHSA-phwv-c562-gvmh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"status": "affected", "version": "< 5.53.5"}]}], "references": [{"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh", "name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d", "name": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "name": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:57:40.269Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27901", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:31:00.714Z", "dateReserved": "2026-02-24T15:19:29.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T00:57:40.269Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "94559490-A41A-4BD6-8BBB-2B7DE3ED2371", "versionEndExcluding": "5.53.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:svelte:svelte:5.53.5:*:*:*:*:node.js:*:*", "matchCriteriaId": "5AA08C57-D7C4-48C9-BC0C-98B99E99E42E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue."}, {"lang": "es", "value": "Framework web Svelte orientado al rendimiento. Antes de la versi\u00f3n 5.53.5, el contenido de `bind:innerText` y `bind:textContent` en elementos `contenteditable` no se escapaba correctamente. Esto podr\u00eda permitir la inyecci\u00f3n de HTML y cross-site scripting (XSS) si se renderizaban datos no confiables como el valor inicial del enlace en el servidor. La versi\u00f3n 5.53.5 corrige el problema."}], "id": "CVE-2026-27901", "lastModified": "2026-03-05T14:49:14.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:20.967", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "svelte: Svelte: Cross-Site Scripting and HTML injection via improper escaping of bind:innerText and bind:textContent", "id": "2442918", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442918"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-27901", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Affected", "package_name": "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-02-26T00:57:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27901\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27901\nhttps://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d\nhttps://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5\nhttps://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh"], "threat_severity": "Moderate"}