Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

Description

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

Recommendation

Update the svelte package to the latest compatible version. Followings are version details:

• Affected version(s): <= 5.51.4
• Patched version(s): 5.51.5

References

• GHSA-m56q-vw4c-c2cp
• CVE-2026-27122
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Svelte: ReDoS in `<svelte:element>` Tag Validation - CVE-2026-42567
• KaTeX \htmlData does not validate attribute names - CVE-2025-23207
• Svelte affected by XSS in SSR `<option>` element - CVE-2026-27119
• Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - CVE-2026-22706

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

svelte