{"id":"CVE-2026-27121","summary":"Svelte affected by cross-site scripting via spread attributes in Svelte SSR","details":"svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.","aliases":["GHSA-f7gr-6p89-r883"],"modified":"2026-04-10T05:37:03.930962Z","published":"2026-02-20T22:27:36.103Z","related":["CGA-4gxm-66x4-6wr6"],"database_specific":{"cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27121.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27121.json"},{"type":"ADVISORY","url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27121"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sveltejs/svelte","events":[{"introduced":"0"},{"fixed":"8ea33bf7fe86d0d53cbe4104419cda9b4bb0442f"}]}],"versions":["svelte@4.0.0","svelte@4.0.0-next.3","svelte@4.0.1","svelte@4.0.2","svelte@4.0.3","svelte@4.0.4","svelte@4.0.5","svelte@4.1.0","svelte@4.1.1","svelte@4.1.2","svelte@4.2.0","svelte@4.2.1","svelte@4.2.2","svelte@4.2.3","svelte@5.0.0","svelte@5.0.0-next.10","svelte@5.0.0-next.100","svelte@5.0.0-next.101","svelte@5.0.0-next.102","svelte@5.0.0-next.103","svelte@5.0.0-next.104","svelte@5.0.0-next.105","svelte@5.0.0-next.106","svelte@5.0.0-next.107","svelte@5.0.0-next.108","svelte@5.0.0-next.109","svelte@5.0.0-next.11","svelte@5.0.0-next.110","svelte@5.0.0-next.111","svelte@5.0.0-next.112","svelte@5.0.0-next.113","svelte@5.0.0-next.114","svelte@5.0.0-next.115","svelte@5.0.0-next.116","svelte@5.0.0-next.117","svelte@5.0.0-next.118","svelte@5.0.0-next.119","svelte@5.0.0-next.12","svelte@5.0.0-next.120","svelte@5.0.0-next.121","svelte@5.0.0-next.123","svelte@5.0.0-next.125","svelte@5.0.0-next.126","svelte@5.0.0-next.127","svelte@5.0.0-next.128","svelte@5.0.0-next.129","svelte@5.0.0-next.13","svelte@5.0.0-next.130","svelte@5.0.0-next.131","svelte@5.0.0-next.132","svelte@5.0.0-next.133","svelte@5.0.0-next.134","svelte@5.0.0-next.135","svelte@5.0.0-next.136","svelte@5.0.0-next.137","svelte@5.0.0-next.138","svelte@5.0.0-next.139","svelte@5.0.0-next.14","svelte@5.0.0-next.140","svelte@5.0.0-next.141","svelte@5.0.0-next.142","svelte@5.0.0-next.143","svelte@5.0.0-next.144","svelte@5.0.0-next.147","svelte@5.0.0-next.148","svelte@5.0.0-next.149","svelte@5.0.0-next.15","svelte@5.0.0-next.150","svelte@5.0.0-next.151","svelte@5.0.0-next.152","svelte@5.0.0-next.153","svelte@5.0.0-next.154","svelte@5.0.0-next.155","svelte@5.0.0-next.157","svelte@5.0.0-next.158","svelte@5.0.0-next.159","svelte@5.0.0-next.16","svelte@5.0.0-next.160","svelte@5.0.0-next.163","svelte@5.0.0-next.164","svelte@5.0.0-next.165","svelte@5.0.0-next.166","svelte@5.0.0-next.167","svelte@5.0.0-next.168","svelte@5.0.0-next.169","svelte@5.0.0-next.17","svelte@5.0.0-next.170","svelte@5.0.0-next.171","svelte@5.0.0-next.172","svelte@5.0.0-next.173","svelte@5.0.0-next.174","svelte@5.0.0-next.175","svelte@5.0.0-next.176","svelte@5.0.0-next.177","svelte@5.0.0-next.178","svelte@5.0.0-next.179","svelte@5.0.0-next.18","svelte@5.0.0-next.180","svelte@5.0.0-next.181","svelte@5.0.0-next.182","svelte@5.0.0-next.183","svelte@5.0.0-next.184","svelte@5.0.0-next.185","svelte@5.0.0-next.186","svelte@5.0.0-next.187","svelte@5.0.0-next.188","svelte@5.0.0-next.189","svelte@5.0.0-next.19","svelte@5.0.0-next.190","svelte@5.0.0-next.191","svelte@5.0.0-next.192","svelte@5.0.0-next.193","svelte@5.0.0-next.194","svelte@5.0.0-next.195","svelte@5.0.0-next.196","svelte@5.0.0-next.197","svelte@5.0.0-next.198","svelte@5.0.0-next.199","svelte@5.0.0-next.2","svelte@5.0.0-next.20","svelte@5.0.0-next.200","svelte@5.0.0-next.201","svelte@5.0.0-next.202","svelte@5.0.0-next.203","svelte@5.0.0-next.204","svelte@5.0.0-next.205","svelte@5.0.0-next.206","svelte@5.0.0-next.207","svelte@5.0.0-next.208","svelte@5.0.0-next.21","svelte@5.0.0-next.210","svelte@5.0.0-next.211","svelte@5.0.0-next.212","svelte@5.0.0-next.213","svelte@5.0.0-next.214","svelte@5.0.0-next.215","svelte@5.0.0-next.216","svelte@5.0.0-next.217","svelte@5.0.0-next.218","svelte@5.0.0-next.219","svelte@5.0.0-next.22","svelte@5.0.0-next.220","svelte@5.0.0-next.221","svelte@5.0.0-next.222","svelte@5.0.0-next.223","svelte@5.0.0-next.224","svelte@5.0.0-next.225","svelte@5.0.0-next.226","svelte@5.0.0-next.227","svelte@5.0.0-next.228","svelte@5.0.0-next.229","svelte@5.0.0-next.23","svelte@5.0.0-next.230","svelte@5.0.0-next.231","svelte@5.0.0-next.232","svelte@5.0.0-next.233","svelte@5.0.0-next.234","svelte@5.0.0-next.235","svelte@5.0.0-next.236","svelte@5.0.0-next.237","svelte@5.0.0-next.238","svelte@5.0.0-next.239","svelte@5.0.0-next.24","svelte@5.0.0-next.240","svelte@5.0.0-next.241","svelte@5.0.0-next.242","svelte@5.0.0-next.243","svelte@5.0.0-next.244","svelte@5.0.0-next.245","svelte@5.0.0-next.246","svelte@5.0.0-next.247","svelte@5.0.0-next.248","svelte@5.0.0-next.249","svelte@5.0.0-next.25","svelte@5.0.0-next.250","svelte@5.0.0-next.251","svelte@5.0.0-next.252","svelte@5.0.0-next.253","svelte@5.0.0-next.254","svelte@5.0.0-next.255","svelte@5.0.0-next.256","svelte@5.0.0-next.257","svelte@5.0.0-next.258","svelte@5.0.0-next.259","svelte@5.0.0-next.26","svelte@5.0.0-next.260","svelte@5.0.0-next.262","svelte@5.0.0-next.263","svelte@5.0.0-next.264","svelte@5.0.0-next.265","svelte@5.0.0-next.266","svelte@5.0.0-next.267","svelte@5.0.0-next.268","svelte@5.0.0-next.269","svelte@5.0.0-next.27","svelte@5.0.0-next.270","svelte@5.0.0-next.271","svelte@5.0.0-next.272","svelte@5.0.0-next.28","svelte@5.0.0-next.29","svelte@5.0.0-next.3","svelte@5.0.0-next.30","svelte@5.0.0-next.31","svelte@5.0.0-next.32","svelte@5.0.0-next.33","svelte@5.0.0-next.34","svelte@5.0.0-next.35","svelte@5.0.0-next.36","svelte@5.0.0-next.37","svelte@5.0.0-next.38","svelte@5.0.0-next.39","svelte@5.0.0-next.4","svelte@5.0.0-next.40","svelte@5.0.0-next.41","svelte@5.0.0-next.42","svelte@5.0.0-next.43","svelte@5.0.0-next.44","svelte@5.0.0-next.45","svelte@5.0.0-next.46","svelte@5.0.0-next.47","svelte@5.0.0-next.48","svelte@5.0.0-next.49","svelte@5.0.0-next.5","svelte@5.0.0-next.50","svelte@5.0.0-next.51","svelte@5.0.0-next.52","svelte@5.0.0-next.53","svelte@5.0.0-next.54","svelte@5.0.0-next.55","svelte@5.0.0-next.56","svelte@5.0.0-next.57","svelte@5.0.0-next.58","svelte@5.0.0-next.59","svelte@5.0.0-next.6","svelte@5.0.0-next.60","svelte@5.0.0-next.61","svelte@5.0.0-next.62","svelte@5.0.0-next.63","svelte@5.0.0-next.64","svelte@5.0.0-next.65","svelte@5.0.0-next.66","svelte@5.0.0-next.67","svelte@5.0.0-next.68","svelte@5.0.0-next.69","svelte@5.0.0-next.7","svelte@5.0.0-next.70","svelte@5.0.0-next.71","svelte@5.0.0-next.72","svelte@5.0.0-next.73","svelte@5.0.0-next.75","svelte@5.0.0-next.76","svelte@5.0.0-next.77","svelte@5.0.0-next.78","svelte@5.0.0-next.79","svelte@5.0.0-next.8","svelte@5.0.0-next.80","svelte@5.0.0-next.81","svelte@5.0.0-next.82","svelte@5.0.0-next.83","svelte@5.0.0-next.84","svelte@5.0.0-next.85","svelte@5.0.0-next.86","svelte@5.0.0-next.87","svelte@5.0.0-next.88","svelte@5.0.0-next.89","svelte@5.0.0-next.9","svelte@5.0.0-next.90","svelte@5.0.0-next.91","svelte@5.0.0-next.92","svelte@5.0.0-next.93","svelte@5.0.0-next.94","svelte@5.0.0-next.95","svelte@5.0.0-next.96","svelte@5.0.0-next.97","svelte@5.0.0-next.98","svelte@5.0.0-next.99","svelte@5.0.1","svelte@5.0.2","svelte@5.0.3","svelte@5.0.4","svelte@5.0.5","svelte@5.1.0","svelte@5.1.1","svelte@5.1.10","svelte@5.1.11","svelte@5.1.12","svelte@5.1.13","svelte@5.1.14","svelte@5.1.15","svelte@5.1.16","svelte@5.1.17","svelte@5.1.2","svelte@5.1.3","svelte@5.1.4","svelte@5.1.5","svelte@5.1.6","svelte@5.1.7","svelte@5.1.8","svelte@5.1.9","svelte@5.10.0","svelte@5.10.1","svelte@5.11.0","svelte@5.11.1","svelte@5.11.2","svelte@5.11.3","svelte@5.12.0","svelte@5.13.0","svelte@5.14.0","svelte@5.14.1","svelte@5.14.2","svelte@5.14.3","svelte@5.14.4","svelte@5.14.5","svelte@5.14.6","svelte@5.15.0","svelte@5.16.0","svelte@5.16.1","svelte@5.16.2","svelte@5.16.3","svelte@5.16.4","svelte@5.16.5","svelte@5.16.6","svelte@5.17.0","svelte@5.17.1","svelte@5.17.2","svelte@5.17.3","svelte@5.17.4","svelte@5.17.5","svelte@5.18.0","svelte@5.19.0","svelte@5.19.1","svelte@5.19.10","svelte@5.19.2","svelte@5.19.3","svelte@5.19.4","svelte@5.19.5","svelte@5.19.6","svelte@5.19.7","svelte@5.19.8","svelte@5.19.9","svelte@5.2.0","svelte@5.2.1","svelte@5.2.10","svelte@5.2.11","svelte@5.2.12","svelte@5.2.2","svelte@5.2.3","svelte@5.2.4","svelte@5.2.5","svelte@5.2.6","svelte@5.2.7","svelte@5.2.8","svelte@5.2.9","svelte@5.20.0","svelte@5.20.1","svelte@5.20.2","svelte@5.20.3","svelte@5.20.4","svelte@5.20.5","svelte@5.21.0","svelte@5.22.0","svelte@5.22.1","svelte@5.22.2","svelte@5.22.3","svelte@5.22.4","svelte@5.22.5","svelte@5.22.6","svelte@5.23.0","svelte@5.23.1","svelte@5.23.2","svelte@5.24.0","svelte@5.24.1","svelte@5.25.0","svelte@5.25.1","svelte@5.25.10","svelte@5.25.11","svelte@5.25.12","svelte@5.25.2","svelte@5.25.3","svelte@5.25.4","svelte@5.25.5","svelte@5.25.6","svelte@5.25.7","svelte@5.25.8","svelte@5.25.9","svelte@5.26.0","svelte@5.26.1","svelte@5.26.2","svelte@5.26.3","svelte@5.27.0","svelte@5.27.1","svelte@5.27.2","svelte@5.27.3","svelte@5.28.0","svelte@5.28.1","svelte@5.28.2","svelte@5.28.3","svelte@5.28.4","svelte@5.28.5","svelte@5.28.6","svelte@5.28.7","svelte@5.29.0","svelte@5.3.0","svelte@5.3.1","svelte@5.3.2","svelte@5.30.0","svelte@5.30.1","svelte@5.30.2","svelte@5.31.0","svelte@5.31.1","svelte@5.32.0","svelte@5.32.1","svelte@5.32.2","svelte@5.33.0","svelte@5.33.1","svelte@5.33.10","svelte@5.33.11","svelte@5.33.12","svelte@5.33.13","svelte@5.33.14","svelte@5.33.15","svelte@5.33.16","svelte@5.33.17","svelte@5.33.18","svelte@5.33.19","svelte@5.33.2","svelte@5.33.3","svelte@5.33.4","svelte@5.33.5","svelte@5.33.6","svelte@5.33.7","svelte@5.33.8","svelte@5.33.9","svelte@5.34.0","svelte@5.34.1","svelte@5.34.2","svelte@5.34.3","svelte@5.34.4","svelte@5.34.5","svelte@5.34.6","svelte@5.34.7","svelte@5.34.8","svelte@5.34.9","svelte@5.35.0","svelte@5.35.1","svelte@5.35.2","svelte@5.35.3","svelte@5.35.4","svelte@5.35.5","svelte@5.35.6","svelte@5.35.7","svelte@5.36.0","svelte@5.36.1","svelte@5.36.10","svelte@5.36.12","svelte@5.36.13","svelte@5.36.14","svelte@5.36.15","svelte@5.36.16","svelte@5.36.17","svelte@5.36.2","svelte@5.36.3","svelte@5.36.4","svelte@5.36.5","svelte@5.36.6","svelte@5.36.7","svelte@5.36.8","svelte@5.36.9","svelte@5.37.0","svelte@5.37.1","svelte@5.37.2","svelte@5.37.3","svelte@5.38.0","svelte@5.38.1","svelte@5.38.10","svelte@5.38.2","svelte@5.38.3","svelte@5.38.5","svelte@5.38.6","svelte@5.38.7","svelte@5.38.8","svelte@5.38.9","svelte@5.39.0","svelte@5.39.1","svelte@5.39.10","svelte@5.39.11","svelte@5.39.12","svelte@5.39.13","svelte@5.39.2","svelte@5.39.3","svelte@5.39.4","svelte@5.39.5","svelte@5.39.6","svelte@5.39.7","svelte@5.39.8","svelte@5.39.9","svelte@5.4.0","svelte@5.40.0","svelte@5.40.1","svelte@5.40.2","svelte@5.41.0","svelte@5.41.1","svelte@5.41.2","svelte@5.41.3","svelte@5.41.4","svelte@5.42.0","svelte@5.42.1","svelte@5.42.2","svelte@5.42.3","svelte@5.43.0","svelte@5.43.1","svelte@5.43.10","svelte@5.43.11","svelte@5.43.12","svelte@5.43.13","svelte@5.43.14","svelte@5.43.15","svelte@5.43.2","svelte@5.43.3","svelte@5.43.4","svelte@5.43.5","svelte@5.43.6","svelte@5.43.7","svelte@5.43.8","svelte@5.43.9","svelte@5.44.0","svelte@5.44.1","svelte@5.45.0","svelte@5.45.1","svelte@5.45.10","svelte@5.45.2","svelte@5.45.3","svelte@5.45.4","svelte@5.45.5","svelte@5.45.6","svelte@5.45.7","svelte@5.45.8","svelte@5.45.9","svelte@5.46.0","svelte@5.46.1","svelte@5.46.3","svelte@5.46.4","svelte@5.47.0","svelte@5.47.1","svelte@5.48.0","svelte@5.48.1","svelte@5.48.2","svelte@5.48.3","svelte@5.48.4","svelte@5.48.5","svelte@5.49.0","svelte@5.49.1","svelte@5.49.2","svelte@5.5.0","svelte@5.5.2","svelte@5.5.3","svelte@5.5.4","svelte@5.50.0","svelte@5.50.1","svelte@5.50.2","svelte@5.50.3","svelte@5.51.0","svelte@5.51.1","svelte@5.51.2","svelte@5.51.3","svelte@5.51.4","svelte@5.6.0","svelte@5.6.1","svelte@5.6.2","svelte@5.7.0","svelte@5.7.1","svelte@5.8.0","svelte@5.8.1","svelte@5.9.0","svelte@5.9.1","v0.0.2","v0.1.0","v0.1.1","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v1.0.0","v1.0.1","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.0.7","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.10.0","v1.10.1","v1.10.2","v1.11.0","v1.11.1","v1.11.2","v1.11.3","v1.11.4","v1.12.0","v1.12.1","v1.13.0","v1.13.1","v1.13.2","v1.13.3","v1.13.4","v1.13.5","v1.13.6","v1.13.7","v1.14.0","v1.14.1","v1.15.0","v1.15.1","v1.16.0","v1.17.0","v1.17.1","v1.17.2","v1.18.0","v1.18.1","v1.18.2","v1.19.0","v1.19.1","v1.2.0","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.20.0","v1.20.1","v1.20.2","v1.21.0","v1.22.0","v1.22.1","v1.22.2","v1.22.3","v1.22.4","v1.22.5","v1.23.0","v1.23.1","v1.23.2","v1.23.3","v1.23.4","v1.24.0","v1.25.0","v1.25.1","v1.26.0","v1.26.1","v1.26.2","v1.27.0","v1.28.0","v1.28.1","v1.29.0","v1.29.1","v1.29.2","v1.29.3","v1.3.0","v1.3.1","v1.30.0","v1.31.0","v1.32.0","v1.33.0","v1.34.0","v1.35.0","v1.36.0","v1.37.0","v1.38.0","v1.39.0","v1.39.1","v1.39.2","v1.39.3","v1.39.4","v1.4.0","v1.40.0","v1.40.1","v1.40.2","v1.41.0","v1.41.1","v1.41.2","v1.41.3","v1.41.4","v1.42.0","v1.42.1","v1.43.0","v1.43.1","v1.44.0","v1.44.1","v1.44.2","v1.45.0","v1.46.0","v1.46.1","v1.47.0","v1.47.1","v1.47.2","v1.48.0","v1.49.0","v1.49.1","v1.49.2","v1.49.3","v1.5.0","v1.50.0","v1.50.1","v1.51.0","v1.51.1","v1.52.0","v1.53.0","v1.54.0","v1.54.1","v1.54.2","v1.55.0","v1.55.1","v1.56.0","v1.56.1","v1.56.2","v1.56.3","v1.56.4","v1.57.0","v1.57.1","v1.57.2","v1.57.3","v1.57.4","v1.58.0","v1.58.1","v1.58.2","v1.58.3","v1.58.4","v1.58.5","v1.59.0","v1.6.0","v1.6.1","v1.6.10","v1.6.11","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.6.6","v1.6.7","v1.6.8","v1.6.9","v1.60.0","v1.60.1","v1.60.2","v1.60.3","v1.61.0","v1.62.0","v1.63.0","v1.63.1","v1.64.0","v1.64.1","v1.7.0","v1.7.1","v1.8.0","v1.8.1","v1.9.0","v1.9.1","v2.0.0","v2.1.0","v2.1.1","v2.10.0","v2.10.1","v2.11.0","v2.12.0","v2.12.1","v2.13.0","v2.13.1","v2.13.2","v2.13.3","v2.13.4","v2.13.5","v2.14.0","v2.14.1","v2.14.2","v2.14.3","v2.15.0","v2.15.1","v2.15.2","v2.15.3","v2.15.4","v2.2.0","v2.3.0","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.5.0","v2.5.1","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.7.0","v2.7.1","v2.7.2","v2.8.0","v2.8.1","v2.9.0","v2.9.1","v2.9.10","v2.9.11","v2.9.4","v2.9.5","v2.9.6","v2.9.7","v2.9.8","v2.9.9","v3.0.0","v3.0.0-beta.24","v3.23.1","v3.23.2","v3.24.0","v3.24.1","v3.25.0","v3.25.1","v3.26.0","v3.27.0","v3.28.0","v3.29.0","v3.29.1","v3.29.2","v3.29.3","v3.29.4","v3.29.5","v3.29.6","v3.29.7","v3.30.0","v3.30.1","v3.31.0","v3.31.1","v3.31.2","v3.32.0","v3.32.1","v3.32.2","v3.32.3","v3.33.0","v3.34.0","v3.35.0","v3.36.0","v3.37.0","v3.38.0","v3.38.1","v3.38.2","v3.38.3","v3.39.0","v3.40.0","v3.40.1","v3.40.2","v3.40.3","v3.41.0","v3.42.0","v3.42.1","v3.42.2","v3.42.3","v3.42.4","v3.42.5","v3.42.6","v3.43.0","v3.43.1","v3.43.2","v3.44.0","v3.44.1","v3.44.2","v3.44.3","v3.45.0","v3.46.0","v3.46.1","v3.46.2","v3.46.3","v3.46.4","v3.46.5","v3.46.6","v3.47.0","v3.48.0","v3.49.0","v3.50.0","v3.50.1","v3.51.0","v3.52.0","v3.53.0","v3.53.1","v3.54.0","v3.55.0","v3.55.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27121.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"}]}