2441520 – (CVE-2026-27122) CVE-2026-27122 svelte: Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

Bug 2441520 (CVE-2026-27122) - CVE-2026-27122 svelte: Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

Summary: CVE-2026-27122 svelte: Svelte SSR does not validate dynamic element tag names...

Keywords:
Status:	NEW
Alias:	CVE-2026-27122
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2441547 2441551
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-20 23:01 UTC by OSIDB Bzimport
Modified:	2026-02-20 23:45 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-20 23:01:57 UTC

svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

Note You need to log in before you can comment on or make changes to this bug.