CVE-2026-54267

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered SSR environments, Angular supports Hydration via...

CVE-2026-54267 Angular Client Hydration DOM Clobbering & Response-Cache Poisoning

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered SSR environments, Angular supports Hydration via...

EUVD-2026-38271

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered SSR environments, Angular supports Hydration via...

CVE-2026-54267

Summary: Angular’s SSR hydration uses a state element with a predictable id (ng-state). In versions prior to 22.0.1, 21.2.17, and 20.3.25, an attacker could DOM-clobber by injecting an element with that id before the legitimate [removed] tag is parsed, causing Angular to parse forged JSON from Tr...

CVE-2026-42573

A flaw was found in Svelte, a web framework. An attacker could exploit a DOM clobbering vulnerability, which allows manipulation of the Document Object Model DOM to overwrite internal framework state on elements. This could potentially lead to Cross-Site Scripting XSS attacks, enabling the attack...

Astra Linux – Vulnerability in Puma

Puma is a Ruby/Rack web server designed for parallelism. In affected versions, clients could manipulate values set by intermediate proxies such as X-Forwarded-For by providing a version of the header with an underscore . Any users who rely on proxy-defined headers are affected. Versions...

GHSA-RGJC-H3X7-9MWG Angular Client Hydration DOM Clobbering & Response-Cache Poisoning

To optimize client-side bootstrap in Server-Side Rendered SSR environments, Angular supports Hydration via provideClientHydration. During SSR, Angular serializes the application's runtime state such as cached HttpClient responses and outputs it into the HTML stream as a tag with a predictable...

Angular Client Hydration DOM Clobbering & Response-Cache Poisoning

To optimize client-side bootstrap in Server-Side Rendered SSR environments, Angular supports Hydration via provideClientHydration. During SSR, Angular serializes the application's runtime state such as cached HttpClient responses and outputs it into the HTML stream as a tag with a predictable...

Modification of Assumed-Immutable Data

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

PT-2026-49247

Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.1 Angular versions prior to 21.2.17 Angular versions prior to 20.3.25 Description Angular supports Hydration via provideClientHydration to optimize client-side bootstrap in Server-Side Rendered SSR environments...

CVE-2026-42573

Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...

EUVD-2026-35701

Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...

CVE-2026-42573 Svelte: XSS via DOM Clobbering of Internal Framework State

Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...

CVE-2026-42573 Svelte: XSS via DOM Clobbering of Internal Framework State

Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...

CVE-2026-42573

CVE-2026-42573 affects Svelte before version 5.55.7, where DOM clobbering of the internal framework state on elements could lead to XSS . The issue is patched in version 5.55.7 . The vulnerability relates to attribute spreading on a form element and the use of spread or dynamic name attributes on...

CVE-2026-8492 Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035

Modification of Assumed-Immutable Data MAID vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5...

CVE-2026-8492

The CVE-2026-8492 issue concerns the GTranslate/Translate Drupal module for Drupal, where a MAID vulnerability allows Resource Location Spoofing. The root cause is inadequate validation in the module’s language-switcher widget JavaScript, specifically around document.currentScript, which can caus...

NPM: Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

NPM: Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State vulnerability discovered by ? in WordPress Npm svelte versions = 5.55.6...

GHSA-RCQX-6Q8C-2C42 Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. You are vulnerable if all of the following is true: - you are using attribute spreading on a form element - you are using attribute spreading or allow a dynamic value for the...

Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. You are vulnerable if all of the following is true: - you are using attribute spreading on a form element - you are using attribute spreading or allow a dynamic value for the...