Skip to main content

Svelte EUVDEUVD-2026-35701

| CVE-2026-42573 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 https://github.com/sveltejs/svelte GHSA-rcqx-6q8c-2c42
5.3
CVSS 4.0 · Vendor: https://github.com/sveltejs/svelte
Share

Severity by source

Vendor (https://github.com/sveltejs/svelte) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/sveltejs/svelte).

CVSS VectorVendor: https://github.com/sveltejs/svelte

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Jun 09, 2026 - 17:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 22:06 vuln.today
Analysis Generated
May 14, 2026 - 22:06 vuln.today
CVE Published
May 14, 2026 - 20:29 nvd
MEDIUM

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on svelte (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.55.7.

DescriptionCVE.org

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true:

  • you are using attribute spreading on a form element
  • you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form
  • both of these are simultaneously user-controllable
svelte
<form {...spread1}>
  <input {...spread2}>
</form>

AnalysisAI

Cross-site scripting (XSS) via DOM clobbering in Svelte versions 5.55.6 and earlier allows attackers to inject malicious code when attribute spreading is used simultaneously on both form elements and their child input/button elements with user-controllable name attributes. The vulnerability requires specific markup patterns where both the form and nested input/button use spread syntax with attacker-controlled values, enabling manipulation of Svelte's internal framework state. Vendor-released patch: version 5.55.7.

Technical ContextAI

Svelte is a JavaScript framework that compiles components at build time rather than running a virtual DOM at runtime. The vulnerability stems from DOM clobbering, where attacker-controlled attribute names or values on HTML form elements can override or shadow Svelte's internal properties used to track framework state. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates insufficient sanitization of user-supplied values when constructing DOM attributes. The attack exploits the combination of spread operators ({...spread}) in Svelte templates with user-controllable inputs, allowing an attacker to inject attributes that conflict with Svelte's internal state management, particularly on hydratable forms (server-side rendered and hydrated on the client). The fix involves hardening attribute name validation during server-side rendering, moving Svelte runtime properties to symbols to prevent property shadowing, and enhancing regex patterns to block malicious constructs.

RemediationAI

Upgrade Svelte to version 5.55.7 or later immediately. This is the primary fix and addresses the DOM clobbering vulnerability through multiple hardening measures: preventing XSS on the hydratable feature from user contents, disallowing empty attribute names during server-side rendering, hardening regex patterns, and moving Svelte runtime properties to symbols to prevent property shadowing. For applications unable to upgrade immediately, apply input validation to reject or sanitize user-supplied values used in attribute spreading contexts-specifically, disallow or escape any user input that flows into the name attribute of input or button elements within forms that also use attribute spreading. Additionally, review component templates to minimize use of attribute spreading ({...spread}) on form elements; where possible, use explicit attribute binding instead. These mitigations carry the trade-off of reduced templating flexibility but eliminate the attack vector. Consult the GitHub advisory at https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42 for additional context.

Vendor StatusVendor

Share

EUVD-2026-35701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy