CVE-2026-27122
Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
| CWE | CWE-79 |
| Vendor | sveltejs |
| Product | svelte |
| Published | Feb 20, 2026 |
| Last Updated | Feb 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for sveltejs svelte
Be the first to know when new unknown vulnerabilities affecting sveltejs svelte are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
sveltejs / svelte
< 5.51.5