Is there a patch available for CVE-2026-42567?

Yes, a patch is available for CVE-2026-42567. Update the affected software to the latest version immediately.

Svelte CVE-2026-42567

MEDIUM

Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)

2026-05-14 https://github.com/sveltejs/svelte

GHSA-9rmh-mm8f-r9h6

Denial Of Service

Lifecycle Timeline

Source Code Evidence Fetched

May 14, 2026 - 22:15 vuln.today

Analysis Generated

May 14, 2026 - 22:15 vuln.today

CVE Published

May 14, 2026 - 20:29 nvd

MEDIUM

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on svelte (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.51.5.

DescriptionNVD

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

AnalysisAI

Regular expression denial of service (ReDoS) in Svelte 5.51.5 through 5.55.6 allows attackers to cause application hang or crash by passing unconstrained-length tag names to the <svelte:element> component, triggering exponential regex evaluation time in the runtime tag validation logic. The vulnerability requires applications to accept user-controlled tag input without length or content restrictions.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42567 vulnerability details – vuln.today

Back