Nixpkgs security tracker

Untriaged

Permalink CVE-2026-27902

created 1 month, 3 weeks ago

Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.

References

https://github.com/sveltejs/svelte/security/advisories/GHSA-qgvg-pr8v-6rr3 x_refsource_CONFIRM
https://github.com/sveltejs/svelte/commit/0298e979371bb583855c9810db79a70a551d22b9 x_refsource_MISC
https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5 x_refsource_MISC

Affected products

svelte

==>= 5.53.0, < 5.53.5

Matching in nixpkgs

pkgs.svelte-check

Svelte code checker

nixos-unstable 4.3.1
- nixpkgs-unstable 4.3.1
- nixos-unstable-small 4.3.1
nixos-25.11 4.3.1
- nixos-25.11-small 4.3.1
- nixpkgs-25.11-darwin 4.3.1

pkgs.svelte-language-server

Language server (implementing the language server protocol) for Svelte

nixos-unstable 0.17.25
- nixpkgs-unstable 0.17.25
- nixos-unstable-small 0.17.25
nixos-25.11 0.17.21
- nixos-25.11-small 0.17.21
- nixpkgs-25.11-darwin 0.17.21

pkgs.vscode-extensions.svelte.svelte-vscode

Svelte language support for VS Code

nixos-unstable 109.13.0
- nixpkgs-unstable 109.14.2
- nixos-unstable-small 109.14.2
nixos-25.11 109.12.0
- nixos-25.11-small 109.12.0
- nixpkgs-25.11-darwin 109.12.0

pkgs.tree-sitter-grammars.tree-sitter-svelte

None

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0
nixos-25.11 0.25.10
- nixos-25.11-small 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.vimPlugins.nvim-treesitter-parsers.svelte

None

nixos-unstable 0.0.0+rev=ae5199d
- nixpkgs-unstable 0.0.0+rev=ae5199d
- nixos-unstable-small 0.0.0+rev=ae5199d
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin