Description
In certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.39.3, < 5.51.5
- Patched version(s): 5.51.5
References
Related Issues
- Svelte SSR does not validate dynamic element tag names in `<svelte:element>` - CVE-2026-27122
- Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` - CVE-2026-27901
- Svelte affected by cross-site scripting via spread attributes in Svelte SSR - CVE-2026-27121
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on February 23, 2026