Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Severity:: Medium

Description

Errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError.

Recommendation

Update the svelte package to the latest compatible version. Followings are version details:

Affected version(s): >= 5.53.0, < 5.53.5
Patched version(s): 5.53.5

References

GHSA-qgvg-pr8v-6rr3
CVE-2026-27902
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State - CVE-2026-42573
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990

How do hackers hack websites?

These 7 PHP mistakes leave your website open to the hackers

How to Secure your NodeJs Express Javascript Application - part 1

Tags:: npm; svelte

Anything's wrong? Let us know Last updated on February 26, 2026