CVE Catalog

CVE-2026-42599

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

10th percentile - higher than 10% of all known CVEs

Summary

Svelte is a performance-oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties were included in the rendered HTML. This allowed attackers to inject malicious event handlers that could execute in victims' browsers.

Risk Assessment

Organizations may be exposed to attacks that exploit injected malicious scripts, potentially leading to data theft or session hijacking. The risk increases when applications use user-controlled or external data.

Recommendation

It is recommended to update Svelte to version 5.55.7 or later to mitigate this vulnerability. Additionally, avoid using data from untrusted sources in element attributes.

Original NVD description (English source)

Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS