Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-97r8-rf7q-wmjw

Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML

Published
May 18, 2026
Updated
May 18, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

@sveltia/cmsnpm
4Kdownloads / week

Description

Impact

A stored cross-site scripting (XSS) vulnerability affected entry summary rendering in Sveltia CMS.

Entry summaries that allowed limited Markdown were parsed, sanitized, and then HTML entities were decoded. This order allowed specially crafted entity-encoded HTML, such as encoded tags or event handler attributes, to become active HTML after sanitization. When the resulting summary was rendered in the CMS UI, arbitrary JavaScript could execute in the browser of a user viewing the affected entry list or search result.

The practical impact is limited in currently supported Sveltia CMS usage because the CMS is intended for a single developer or a small trusted team, and open authoring / untrusted multi-user authoring is not currently implemented. Exploitation requires the ability to place malicious content into the repository or content source that the CMS loads.

Patches

The issue has been patched by changing entry summary sanitization so that HTML entity decoding happens before sanitization for Markdown-enabled summaries. This ensures any decoded HTML is processed by the sanitizer before being rendered.

Users should upgrade to Sveltia CMS v0.160.1 or later.

Workarounds

If upgrading is not immediately possible, avoid loading CMS content from untrusted authors and review content for entity-encoded HTML payloads in fields used by entry summaries.

Administrators can also reduce exposure by avoiding Markdown-enabled summary rendering for untrusted content where possible, or by ensuring repository write access is limited to trusted users only.

Resources

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npm@sveltia/cmsall versions0.160.1

Detection & mitigation playbook

Open-source dependency
  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @sveltia/cms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @sveltia/cms to 0.160.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-97r8-rf7q-wmjw is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-97r8-rf7q-wmjw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-97r8-rf7q-wmjw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact A stored cross-site scripting (XSS) vulnerability affected entry summary rendering in Sveltia CMS. Entry summaries that allowed limited Markdown were parsed, sanitized, and then HTML entities were decoded. This order allowed specially crafted entity-encoded HTML, such as encoded tags or event handler attributes, to become active HTML after sanitization. When the resulting summary was rendered in the CMS UI, arbitrary JavaScript could execute in the browser of a user viewing the affected entry list or search result. The practical impact is limited in currently supported Sveltia CM
O3 Security · Impact-Aware SCA

Is GHSA-97r8-rf7q-wmjw in your dependencies?

O3 detects GHSA-97r8-rf7q-wmjw across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.