Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
- Severity:
- Medium
Description
When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.51.4
- Patched version(s): 5.51.5
References
Related Issues
- Svelte affected by XSS in SSR `<option>` element - CVE-2026-27119
- KaTeX \htmlData does not validate attribute names - CVE-2025-23207
- Svelte affected by cross-site scripting via spread attributes in Svelte SSR - CVE-2026-27121
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on February 23, 2026