CVE-2026-27125
MEDIUM
GHSA-crpf-4hrx-3jrp
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Tags
Description
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted - a precondition outside of Svelte's control - this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Analysis
Svelte versions prior to 5.51.5 improperly enumerate prototype chain properties during server-side rendering attribute spreading, allowing polluted Object.prototype properties to inject unexpected attributes into SSR output or cause rendering errors. This vulnerability affects applications using SSR where the prototype chain has been previously manipulated, though client-side rendering is unaffected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today