A high-severity Cross-Site Scripting (XSS) vulnerability, tracked as GHSA-GW32-9RMW-QWWW, affects Svelte's Server-Side Rendering (SSR) compiler. The flaw, with a CVSS score of 8.4, stems from improper escaping of `bind:value` directives on `<textarea>` elements. Attackers can break out of the HTML tag context and execute arbitrary JavaScript.

The SSR compiler incorrectly treated `<textarea>` contents as attributes instead of child nodes, failing to escape user-supplied input. This oversight allows an attacker to inject a closing `</textarea>` tag to prematurely end the element and run malicious scripts. The issue impacts all Svelte versions from 3.0.0 up to but not including 3.59.2.

Svelte maintainers patched the vulnerability in version 3.59.2. The fix involves explicitly escaping the textarea's child content during server-side rendering. Developers using SvelteKit or other SSR frameworks built on Svelte must upgrade to the patched version or Svelte 4.0.0, which includes the correction by default, to prevent potential code injection attacks.