Medium severity5.3GHSA Advisory· Published May 14, 2026

Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

CVE-2026-42573

Description

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true: - you are using attribute spreading on a form element - you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form - both of these are simultaneously user-controllable

<form {...spread1}>
  <input {...spread2}>
</form>

Affected products

Sveltejs/SvelteGHSA
Range: <= 5.55.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rcqx-6q8c-2c42ghsaADVISORY
github.com/sveltejs/svelte/releases/tag/svelte%405.55.7ghsa
github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42ghsa

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000