Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
- Severity:
- Medium
Description
The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding’s initial value on the server.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.53.4
- Patched version(s): 5.53.5
References
Related Issues
- Svelte affected by XSS in SSR `<option>` element - CVE-2026-27119
- Svelte vulnerable to XSS when using objects during server-side rendering - CVE-2022-25875
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
- billboard.js is vulnerable to XSS during chart option binding - CVE-2026-1513
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on March 11, 2026