{"id":"CVE-2026-27119","summary":"Svelte affected by XSS in SSR `\u003coption\u003e` element","details":"svelte performance oriented web framework. From 5.39.3, \u003c=5.51.4, in certain circumstances, the server-side rendering output of an \u003coption\u003e element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.","aliases":["GHSA-h7h7-mm68-gmrc"],"modified":"2026-04-10T05:37:05.634692Z","published":"2026-02-20T22:25:42.794Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27119.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27119.json"},{"type":"ADVISORY","url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27119"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sveltejs/svelte","events":[{"introduced":"ded13b825d7efcdf064fd65a5aa9e7e61293a48b"},{"fixed":"8ea33bf7fe86d0d53cbe4104419cda9b4bb0442f"}]}],"versions":["svelte@5.39.10","svelte@5.39.11","svelte@5.39.12","svelte@5.39.13","svelte@5.39.3","svelte@5.39.4","svelte@5.39.5","svelte@5.39.6","svelte@5.39.7","svelte@5.39.8","svelte@5.39.9","svelte@5.40.0","svelte@5.40.1","svelte@5.40.2","svelte@5.41.0","svelte@5.41.1","svelte@5.41.2","svelte@5.41.3","svelte@5.41.4","svelte@5.42.0","svelte@5.42.1","svelte@5.42.2","svelte@5.42.3","svelte@5.43.0","svelte@5.43.1","svelte@5.43.10","svelte@5.43.11","svelte@5.43.12","svelte@5.43.13","svelte@5.43.14","svelte@5.43.15","svelte@5.43.2","svelte@5.43.3","svelte@5.43.4","svelte@5.43.5","svelte@5.43.6","svelte@5.43.7","svelte@5.43.8","svelte@5.43.9","svelte@5.44.0","svelte@5.44.1","svelte@5.45.0","svelte@5.45.1","svelte@5.45.10","svelte@5.45.2","svelte@5.45.3","svelte@5.45.4","svelte@5.45.5","svelte@5.45.6","svelte@5.45.7","svelte@5.45.8","svelte@5.45.9","svelte@5.46.0","svelte@5.46.1","svelte@5.46.3","svelte@5.46.4","svelte@5.47.0","svelte@5.47.1","svelte@5.48.0","svelte@5.48.1","svelte@5.48.2","svelte@5.48.3","svelte@5.48.4","svelte@5.48.5","svelte@5.49.0","svelte@5.49.1","svelte@5.49.2","svelte@5.50.0","svelte@5.50.1","svelte@5.50.2","svelte@5.50.3","svelte@5.51.0","svelte@5.51.1","svelte@5.51.2","svelte@5.51.3","svelte@5.51.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27119.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"}]}