Primary

Context

Svelte HTML Injection Vulnerability in Server-Side Rendered Option Elements

Vulnerability

Patched

A vulnerability in the Svelte web framework, specifically in versions 5.39.3 prior to 5.51.4, allows for HTML injection in the server-side rendering (SSR) output of `<option>` elements. This issue arises because the content of these elements is not properly escaped, potentially leading to the injection of malicious HTML. It's important to note that this vulnerability does not affect client-side rendering.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting (XSS) attacks, where an attacker injects malicious HTML that is executed in the user's browser.

Remediation

Users can upgrade to Svelte version 5.51.5 to address this vulnerability.

Added: Feb 20, 2026, 11:27 PM

Updated: Feb 20, 2026, 11:27 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.0

exploitability

4.7

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.0

exploitability

4.7

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Svelte HTML Injection Vulnerability in Server-Side Rendered Option Elements

Vulnerability

Impact

Remediation

Affected Products

svelte

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating