Sveltejs
Products
6Recent CVEs
28| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-57820 | Hig | 0.44 | — | 0.00 | Aug 26, 2025 | Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties,… | ||
| CVE-2026-42570 | Hig | 0.42 | 7.5 | 0.00 | Jun 9, 2026 | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than… | ||
| CVE-2026-42567 | Hig | 0.42 | 7.5 | 0.00 | Jun 9, 2026 | Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7. | ||
| CVE-2026-40074 | Hig | 0.42 | 7.5 | 0.00 | Apr 10, 2026 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled… | ||
| CVE-2026-40073 | Hig | 0.42 | 7.5 | 0.01 | Apr 10, 2026 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size… | ||
| CVE-2026-42599 | Med | 0.33 | 6.1 | 0.00 | Jun 9, 2026 | Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element… | ||
| CVE-2026-42573 | Med | 0.33 | 6.1 | 0.00 | Jun 9, 2026 | Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7. | ||
| CVE-2025-32388 | Med | 0.28 | 5.4 | 0.00 | Apr 15, 2025 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function.… | ||
| CVE-2026-30226 | 0.00 | — | 0.00 | Mar 11, 2026 | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful… | |||
| CVE-2026-27902 | 0.00 | — | 0.00 | Feb 26, 2026 | Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`.… | |||
| CVE-2026-27901 | 0.00 | — | 0.00 | Feb 26, 2026 | Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the… | |||
| CVE-2026-27125 | 0.00 | — | 0.00 | Feb 20, 2026 | svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. ) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype… | |||
| CVE-2026-27122 | 0.00 | — | 0.00 | Feb 20, 2026 | svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can… | |||
| CVE-2026-27121 | 0.00 | — | 0.00 | Feb 20, 2026 | svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML… | |||
| CVE-2026-27119 | 0.00 | — | 0.00 | Feb 20, 2026 | svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.… | |||
| CVE-2025-15265 | 0.00 | — | 0.00 | Jan 15, 2026 | An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a to terminate the script and inject arbitrary JavaScript. This enables remote script… | |||
| CVE-2026-22775 | 0.00 | — | 0.00 | Jan 15, 2026 | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in… | |||
| CVE-2026-22774 | 0.00 | — | 0.00 | Jan 15, 2026 | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in… | |||
| CVE-2026-22803 | 0.00 | — | 0.01 | Jan 15, 2026 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the… | |||
| CVE-2025-67647 | 0.00 | — | 0.00 | Jan 15, 2026 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability… |
- risk 0.44cvss —epss 0.00
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties,…
- risk 0.42cvss 7.5epss 0.00
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than…
- risk 0.42cvss 7.5epss 0.00
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.
- risk 0.42cvss 7.5epss 0.00
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled…
- risk 0.42cvss 7.5epss 0.01
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size…
- risk 0.33cvss 6.1epss 0.00
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element…
- risk 0.33cvss 6.1epss 0.00
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.
- risk 0.28cvss 5.4epss 0.00
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function.…
- CVE-2026-30226Mar 11, 2026risk 0.00cvss —epss 0.00
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful…
- CVE-2026-27902Feb 26, 2026risk 0.00cvss —epss 0.00
Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`.…
- CVE-2026-27901Feb 26, 2026risk 0.00cvss —epss 0.00
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the…
- CVE-2026-27125Feb 20, 2026risk 0.00cvss —epss 0.00
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. ) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype…
- CVE-2026-27122Feb 20, 2026risk 0.00cvss —epss 0.00
svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can…
- CVE-2026-27121Feb 20, 2026risk 0.00cvss —epss 0.00
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML…
- CVE-2026-27119Feb 20, 2026risk 0.00cvss —epss 0.00
svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.…
- CVE-2025-15265Jan 15, 2026risk 0.00cvss —epss 0.00
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a to terminate the script and inject arbitrary JavaScript. This enables remote script…
- CVE-2026-22775Jan 15, 2026risk 0.00cvss —epss 0.00
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in…
- CVE-2026-22774Jan 15, 2026risk 0.00cvss —epss 0.00
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in…
- CVE-2026-22803Jan 15, 2026risk 0.00cvss —epss 0.01
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the…
- CVE-2025-67647Jan 15, 2026risk 0.00cvss —epss 0.00
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability…