Lucene search
K

420 matches found

Snyk
Snyk
added 2026/02/19 8:28 p.m.4 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker ca...

6.8CVSS5.8AI score0.00377EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/19 8:28 p.m.6 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker can inject...

6.8CVSS5.6AI score0.00377EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/19 8:28 p.m.16 views

Svelte SSR attribute spreading includes inherited properties from prototype chain

In server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpect...

6.8CVSS5.5AI score0.00377EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/02/19 8:28 p.m.2 views

GHSA-CRPF-4HRX-3JRP Svelte SSR attribute spreading includes inherited properties from prototype chain

In server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpect...

5.3CVSS5.5AI score0.00377EPSS
Exploits0References5
Snyk
Snyk
added 2026/02/19 3:18 p.m.2 views

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the svelte:element tags. An attacker can inject arbitrary HTML into the server-side rendered output by supplying a crafted tag name. Details Cross-site...

5.5CVSS5.6AI score0.00189EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/19 3:18 p.m.8 views

Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

When using in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected...

5.4CVSS5.5AI score0.00189EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/19 3:18 p.m.3 views

GHSA-M56Q-VW4C-C2CP Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

When using in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected...

5CVSS5.5AI score0.00189EPSS
Exploits0References3
Snyk
Snyk
added 2026/02/19 3:18 p.m.2 views

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the spread syntax when rendering attributes from untrusted data during server-side rendering. An attacker can execute arbitrary JavaScript in the context of...

5.5CVSS5.6AI score0.00189EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/19 3:18 p.m.2 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the spread syntax when rendering attributes from untrusted data during server-side rendering. An attacker can execute arbitrary JavaScript i...

5.5CVSS5.9AI score0.00189EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/19 3:18 p.m.7 views

Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting XSS during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external...

5.4CVSS5.2AI score0.00189EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/19 3:18 p.m.3 views

GHSA-F7GR-6P89-R883 Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting XSS during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external...

5CVSS5.2AI score0.00189EPSS
Exploits0References3
Snyk
Snyk
added 2026/02/19 3:18 p.m.3 views

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the server-side rendering process of the element, which does not properly escape its content. An attacker can inject arbitrary HTML into the SSR output by...

7.7CVSS5.5AI score0.00182EPSS
Exploits0References2
OSV
OSV
added 2026/02/19 3:18 p.m.3 views

GHSA-H7H7-MM68-GMRC Svelte affected by XSS in SSR `<option>` element

In certain circumstances, the server-side rendering output of an element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected...

5CVSS5.5AI score0.00182EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.6 views

PT-2026-21306

Name of the Vulnerable Software and Affected Versions Svelte versions prior to 5.51.5 Description Svelte is susceptible to cross-site scripting XSS during server-side rendering. Utilizing spread syntax with untrusted data can lead to the inclusion of event handler properties in the generated HTML...

5.4CVSS6.1AI score0.00189EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.4 views

PT-2026-20873

When using in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected...

5CVSS5.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.5 views

PT-2026-20881

Name of the Vulnerable Software and Affected Versions Svelte versions prior to 5.51.5 Description A flaw exists in Svelte where, during server-side rendering, the tag name provided to the component is not validated or sanitized before being included in the HTML output. This can lead to HTML...

5CVSS5.3AI score0.00189EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.5 views

PT-2026-21305

Name of the Vulnerable Software and Affected Versions Svelte versions 5.39.3 through 5.51.4 Description Svelte is susceptible to a flaw where, under specific conditions, the server-side rendering of an element fails to properly escape its content. This can lead to potential HTML injection within...

5.4CVSS5.8AI score0.00182EPSS
Exploits0References8
OSV
OSV
added 2026/02/12 3:31 a.m.3 views

GHSA-G4XW-JXRG-5F6M next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content...

8.8CVSS6.3AI score0.00582EPSS
Exploits0References5
Snyk
Snyk
added 2026/02/12 2:51 a.m.4 views

Arbitrary Code Injection

Overview next-mdx-remote is an utilities for loading mdx from any remote source as data, rather than as a local import Affected versions of this package are vulnerable to Arbitrary Code Injection via the serialize function. An attacker can execute arbitrary code by submitting specially crafted MD...

8.8CVSS6.3AI score0.00582EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/12 1:35 a.m.31 views

CVE-2026-0969 Arbitrary code execution in React server-side rendering of untrusted MDX content

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0...

8.8CVSS0.00582EPSS
Exploits0References1
Rows per page
Query Builder