2441532 – (CVE-2026-27121) CVE-2026-27121 svelte: Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Bug 2441532 (CVE-2026-27121) - CVE-2026-27121 svelte: Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Summary: CVE-2026-27121 svelte: Svelte affected by cross-site scripting via spread att...

Keywords:
Status:	NEW
Alias:	CVE-2026-27121
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2441549 2441552
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-20 23:02 UTC by OSIDB Bzimport
Modified:	2026-02-20 23:45 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-20 23:02:33 UTC

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

Note You need to log in before you can comment on or make changes to this bug.