CVE-2026-27122 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Svelte web framework prior to version 5.51.5. The issue occurs specifically when using the <svelte:element this={tag}> directive during server-side rendering (SSR). In this scenario, the tag name provided by the developer or user is not properly validated or sanitized before being emitted into the HTML output. This lack of input neutralization allows an attacker who can influence the tag string to inject malicious HTML or script code into the SSR output, potentially leading to HTML injection attacks. Importantly, this vulnerability does not impact client-side rendering, where the tag name is handled differently. The vulnerability requires that the attacker have high privileges and authentication to exploit, and no user interaction is necessary. The CVSS 4.0 vector indicates network attack vector, high attack complexity, privileges required, no user interaction, and low confidentiality impact. The vulnerability has been addressed in Svelte version 5.51.5, which properly validates and sanitizes the tag name during SSR. No public exploits have been reported to date, but the vulnerability poses a risk to applications using vulnerable Svelte versions in SSR contexts.

The primary impact of CVE-2026-27122 is the potential for HTML injection via server-side rendered content, which can lead to cross-site scripting attacks if exploited. This can compromise the confidentiality and integrity of user data by enabling attackers to execute arbitrary scripts in the context of the affected web application. Although the confidentiality impact is rated low, successful exploitation could facilitate session hijacking, defacement, or redirection to malicious sites. The vulnerability requires high privileges and authentication, limiting the attack surface primarily to insiders or compromised accounts with elevated rights. Organizations using Svelte for server-side rendering in web applications risk exposing their users to these attacks if they do not upgrade. The scope is limited to SSR implementations using the vulnerable tag syntax, so client-side only applications are unaffected. The medium severity rating reflects the moderate risk posed by this vulnerability given the exploitation constraints and impact scope.

To mitigate CVE-2026-27122, organizations should immediately upgrade all Svelte instances to version 5.51.5 or later, where the vulnerability is fixed by proper validation and sanitization of the tag name in SSR. Developers should audit their codebases to identify any use of <svelte:element this={tag}> in server-side rendering contexts and ensure that untrusted input is never passed directly as tag names. Implement strict input validation and sanitization on any user-controllable data used in SSR templates. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources. Monitor application logs for unusual SSR tag usage or injection attempts. Additionally, restrict access to high privilege accounts and enforce strong authentication controls to reduce the risk of insider exploitation. Regularly update dependencies and conduct security reviews of SSR implementations to prevent similar injection vulnerabilities.