24 matches found
CVE-2026-42567
A flaw was found in Svelte, a web framework. An internal regular expression regex in the Svelte runtime, specifically when processing , can be exploited by a remote attacker. By providing specially crafted input, an attacker can cause the regex to take an exponential amount of time to process,...
CVE-2026-42599
A flaw was found in Svelte. When an application uses spread syntax to render attributes from untrusted data, event handler properties are included in the generated HTML output. This allows a remote attacker to inject malicious event handlers that can execute in a victim's web browser, leading to...
CVE-2026-42573
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...
CVE-2026-42567 Svelte: ReDoS in `<svelte:element>` Tag Validation
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in . This issue has been patched in version 5.55.7...
CVE-2026-42567 Svelte: ReDoS in `<svelte:element>` Tag Validation
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in . This issue has been patched in version 5.55.7...
EUVD-2026-35701
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...
CVE-2026-42573
CVE-2026-42573 affects Svelte before version 5.55.7, where DOM clobbering of the internal framework state on elements could lead to XSS . The issue is patched in version 5.55.7 . The vulnerability relates to attribute spreading on a form element and the use of spread or dynamic name attributes on...
CVE-2026-42573 Svelte: XSS via DOM Clobbering of Internal Framework State
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...
EUVD-2026-8800
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers...
EUVD-2026-8799
Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent...
CVE-2026-27902
Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...
CVE-2026-27902 Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...
CVE-2026-27902
Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...
CVE-2026-27901
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting XSS if rendering untrusted data as the binding's initial value o...
PT-2026-22077
Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...
CVE-2026-27121
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting XSS during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an...
CVE-2026-27119
svelte performance oriented web framework. From 5.39.3, element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5...
CVE-2026-27125 Svelte SSR attribute spreading includes inherited properties from prototype chain
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a...
CVE-2026-27125 Svelte SSR attribute spreading includes inherited properties from prototype chain
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a...
CVE-2026-27125
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a...