CVE-2026-42599
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
Svelte is a performance-oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties were included in the rendered HTML. This allowed attackers to inject malicious event handlers that could execute in victims' browsers.
Risk Assessment
Organizations may be exposed to attacks that exploit injected malicious scripts, potentially leading to data theft or session hijacking. The risk increases when applications use user-controlled or external data.
Recommendation
It is recommended to update Svelte to version 5.55.7 or later to mitigate this vulnerability. Additionally, avoid using data from untrusted sources in element attributes.
Original NVD description (English source)
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.

