@budibase/server (>=3.32.1 <=3.38.1), @builders-of-stuff/svelte-sui-wallet-adapter (>=0.6.6 <=2.1.0) +53 more potentially affected by CVE-2026-27125 via svelte (>=5.0.0-next.1 <=5.51.2)

svelte NPM version =5.0.0-next.1, =3.32.1, =0.6.6, =4.0.0-alpha.1, =4.0.0-alpha.1, =0.1.0, =0.0.1, =1.3.0, =0.1.4, =0.0.20, =0.15.0, =1.1.0-beta.0, =5.0.0-next.80, =0.1.1-alpha.24, =0.1.3-next.2 and more Source cves: CVE-2026-27125 Source advisory: SNYK:JS-SVELTE-15322714...

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the svelte:element tags. An attacker can inject arbitrary HTML into the server-side rendered output by supplying a crafted tag name. Details Cross-site...

@budibase/server (>=3.32.1 <=3.38.1), @builders-of-stuff/svelte-sui-wallet-adapter (>=0.6.6 <=2.1.0) +53 more potentially affected by CVE-2026-27122 via svelte (>=5.0.0-next.1 <=5.51.2)

svelte NPM version =5.0.0-next.1, =3.32.1, =0.6.6, =4.0.0-alpha.1, =4.0.0-alpha.1, =0.1.0, =0.0.1, =1.3.0, =0.1.4, =0.0.20, =0.15.0, =1.1.0-beta.0, =5.0.0-next.80, =0.1.1-alpha.24, =0.1.3-next.2 and more Source cves: CVE-2026-27122 Source advisory: SNYK:JS-SVELTE-15322733...

@alexanderniebuhr/eslint-config (>=1.3.0 <=1.4.0), @alexanderniebuhr/style (>=1.1.0 <=1.3.0) +171 more potentially affected by unknown CVE via svelte (>=3.12.1 <=3.59.1)

svelte NPM version =3.12.1, =1.3.0, =1.1.0, =1.3.0, =1.0.3, =0.0.999-alpha.30, =10.0.0, =7.1.4, =21.0.4, =8.0.4, =2.0.4, =1.0.1, =6.0.4, =12.1.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-GW32-9RMW-QWWW...

EUVD-2026-2733

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a block without HTML‑safe escaping, allowing to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for...

PT-2026-3102

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a block without HTML‑safe escaping, allowing to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for...

Svelte 安全漏洞

Svelte is a new way to build web applications open-sourced by Svelte. A security vulnerability exists in versions of Svelte prior to 5.3.2 that stems from not properly checking input object properties, which could lead to prototype contamination...

@alexanderniebuhr/eslint-config (>=1.3.0 <=1.4.0), @alexanderniebuhr/style (>=1.1.0 <=1.3.0) +116 more potentially affected by CVE-2022-25875 via svelte (>=3.12.1 <=3.48.0)

svelte NPM version =3.12.1, =1.3.0, =1.1.0, =1.3.0, =0.7.7, =10.0.0, =7.1.4, =21.0.4, =8.0.4, =2.0.4, =1.0.1, =6.0.4, =5.0.2, =4.0.2, =1.0.1, =5.0.8, =12.0.48 and more Source cves: CVE-2022-25875 Source advisory: SNYK:JS-SVELTE-2931080...