Medium severity5.9GHSA Advisory· Published May 14, 2026· Updated May 14, 2026

Svelte: ReDoS in `<svelte:element>` Tag Validation

CVE-2026-42567

Description

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

Affected products

Sveltejs/SvelteGHSA
Range: >= 5.51.5, <= 5.55.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9rmh-mm8f-r9h6ghsaADVISORY
github.com/sveltejs/svelte/releases/tag/svelte%405.55.7ghsa
github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6ghsa

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000