GHSA-97R8-RF7Q-WMJW
Vulnerability from github – Published: 2026-05-18 13:43 – Updated: 2026-05-18 13:43Impact
A stored cross-site scripting (XSS) vulnerability affected entry summary rendering in Sveltia CMS.
Entry summaries that allowed limited Markdown were parsed, sanitized, and then HTML entities were decoded. This order allowed specially crafted entity-encoded HTML, such as encoded tags or event handler attributes, to become active HTML after sanitization. When the resulting summary was rendered in the CMS UI, arbitrary JavaScript could execute in the browser of a user viewing the affected entry list or search result.
The practical impact is limited in currently supported Sveltia CMS usage because the CMS is intended for a single developer or a small trusted team, and open authoring / untrusted multi-user authoring is not currently implemented. Exploitation requires the ability to place malicious content into the repository or content source that the CMS loads.
Patches
The issue has been patched by changing entry summary sanitization so that HTML entity decoding happens before sanitization for Markdown-enabled summaries. This ensures any decoded HTML is processed by the sanitizer before being rendered.
Users should upgrade to Sveltia CMS v0.160.1 or later.
Workarounds
If upgrading is not immediately possible, avoid loading CMS content from untrusted authors and review content for entity-encoded HTML payloads in fields used by entry summaries.
Administrators can also reduce exposure by avoiding Markdown-enabled summary rendering for untrusted content where possible, or by ensuring repository write access is limited to trusted users only.
Resources
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- https://cwe.mitre.org/data/definitions/79.html
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 0.160.0"
},
"package": {
"ecosystem": "npm",
"name": "@sveltia/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.160.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T13:43:50Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nA stored cross-site scripting (XSS) vulnerability affected entry summary rendering in Sveltia CMS.\n\nEntry summaries that allowed limited Markdown were parsed, sanitized, and then HTML entities were decoded. This order allowed specially crafted entity-encoded HTML, such as encoded tags or event handler attributes, to become active HTML after sanitization. When the resulting summary was rendered in the CMS UI, arbitrary JavaScript could execute in the browser of a user viewing the affected entry list or search result.\n\nThe practical impact is limited in currently supported Sveltia CMS usage because the CMS is intended for a single developer or a small trusted team, and [open authoring](https://sveltiacms.app/en/docs/workflows/open) / untrusted multi-user authoring is not currently implemented. Exploitation requires the ability to place malicious content into the repository or content source that the CMS loads.\n\n### Patches\n\nThe issue has been patched by changing entry summary sanitization so that HTML entity decoding happens before sanitization for Markdown-enabled summaries. This ensures any decoded HTML is processed by the sanitizer before being rendered.\n\nUsers should upgrade to Sveltia CMS [v0.160.1](https://github.com/sveltia/sveltia-cms/releases/tag/v0.160.1) or later.\n\n### Workarounds\n\nIf upgrading is not immediately possible, avoid loading CMS content from untrusted authors and review content for entity-encoded HTML payloads in fields used by entry summaries.\n\nAdministrators can also reduce exposure by avoiding Markdown-enabled summary rendering for untrusted content where possible, or by ensuring repository write access is limited to trusted users only.\n\n### Resources\n\n- CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n- https://cwe.mitre.org/data/definitions/79.html",
"id": "GHSA-97r8-rf7q-wmjw",
"modified": "2026-05-18T13:43:50Z",
"published": "2026-05-18T13:43:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sveltia/sveltia-cms/security/advisories/GHSA-97r8-rf7q-wmjw"
},
{
"type": "WEB",
"url": "https://github.com/sveltia/sveltia-cms/commit/43a6ac5d0182a503400d8ce1ac156e08f537b1b2"
},
{
"type": "PACKAGE",
"url": "https://github.com/sveltia/sveltia-cms"
},
{
"type": "WEB",
"url": "https://github.com/sveltia/sveltia-cms/releases/tag/v0.160.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.