Primary

Context

Svelte HTML Injection Vulnerability in Server-Side Rendering

Vulnerability

Patched

A vulnerability in the Svelte web framework prior to version 5.51.5 allows for HTML injection during server-side rendering. This issue arises when using `<svelte:element this={tag}>`, as the tag name is not properly validated or sanitized before being outputted as HTML. If the tag contains unexpected characters, it can lead to HTML injection in the server-side rendered output. Client-side rendering is not impacted.

Impact

Exploitation of this vulnerability could result in HTML injection in the server-side rendered output, potentially allowing for the inclusion of malicious HTML or scripts.

Remediation

Users can upgrade to Svelte version 5.51.5 or later to address this vulnerability.

Added: Feb 20, 2026, 11:26 PM

Updated: Feb 20, 2026, 11:26 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.0

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.0

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Svelte HTML Injection Vulnerability in Server-Side Rendering

Vulnerability

Impact

Remediation

Affected Products

svelte

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating