266 matches found
CVE-2026-42567
A flaw was found in Svelte, a web framework. An internal regular expression regex in the Svelte runtime, specifically when processing , can be exploited by a remote attacker. By providing specially crafted input, an attacker can cause the regex to take an exponential amount of time to process,...
CVE-2026-42570
A flaw was found in devalue, a JavaScript library used for serializing values. Due to quirks in some JavaScript engines, the devalue.parse function could be exploited by a remote attacker when deserializing specially crafted sparse arrays. This could lead to excessive memory consumption, resultin...
CVE-2026-42599
A flaw was found in Svelte. When an application uses spread syntax to render attributes from untrusted data, event handler properties are included in the generated HTML output. This allows a remote attacker to inject malicious event handlers that can execute in a victim's web browser, leading to...
CVE-2026-42567
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in . This issue has been patched in version 5.55.7...
CVE-2026-42570
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
CVE-2026-42573
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...
CVE-2026-42599
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an...
EUVD-2026-35703
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an...
CVE-2026-42599 Cross-site scripting via spread attributes in Svelte SSR
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an...
CVE-2026-42599
CVE-2026-42599 affects Svelte SSR. Prior to version 5.55.7, using spread syntax to render attributes from untrusted data may include event handler properties in the rendered HTML, enabling attackers to inject malicious event handlers that run in victims’ browsers if JavaScript is enabled and hydr...
CVE-2026-42599 Cross-site scripting via spread attributes in Svelte SSR
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an...
CVE-2026-42567
CVE-2026-42567 affects Svelte runtimes from 5.51.5 up to 5.55.6, where an internal regex used during svelte:element tag validation can cause exponential-time processing (ReDoS) on certain tag names. The issue is triggered during the validation of , leading to significant CPU usage and potential...
CVE-2026-42567 Svelte: ReDoS in `<svelte:element>` Tag Validation
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in . This issue has been patched in version 5.55.7...
EUVD-2026-35702
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in . This issue has been patched in version 5.55.7...
CVE-2026-42567 Svelte: ReDoS in `<svelte:element>` Tag Validation
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in . This issue has been patched in version 5.55.7...
EUVD-2026-35701
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...
CVE-2026-42573
CVE-2026-42573 affects Svelte before version 5.55.7, where DOM clobbering of the internal framework state on elements could lead to XSS . The issue is patched in version 5.55.7 . The vulnerability relates to attribute spreading on a form element and the use of spread or dynamic name attributes on...
CVE-2026-42573 Svelte: XSS via DOM Clobbering of Internal Framework State
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...
CVE-2026-42573 Svelte: XSS via DOM Clobbering of Internal Framework State
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...
CVE-2026-42570
CVE-2026-42570 affects the Svelte devalue library. devalue.parse could allocate excessive memory when deserializing sparse arrays in versions 5.6.3 through 5.8.0, due to engine quirks. The issue is fixed in version 5.8.1. Affected references include GitHub advisories GHSA-77vg-94rm-hx3p and OSV e...