VYPR

Vendor CVEs

Sveltejs

All CVEs

28 total · sorted by risk
  • CVE-2025-57820HigAug 26, 2025
    risk 0.44cvss epss 0.00

    Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties,…

  • CVE-2026-42570HigJun 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than…

  • CVE-2026-42567HigJun 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.

  • CVE-2026-40074HigApr 10, 2026
    risk 0.42cvss 7.5epss 0.00

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled…

  • CVE-2026-40073HigApr 10, 2026
    risk 0.42cvss 7.5epss 0.01

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size…

  • CVE-2026-42599MedJun 9, 2026
    risk 0.33cvss 6.1epss 0.00

    Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element…

  • CVE-2026-42573MedJun 9, 2026
    risk 0.33cvss 6.1epss 0.00

    Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.

  • CVE-2025-32388MedApr 15, 2025
    risk 0.28cvss 5.4epss 0.00

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function.…

  • CVE-2026-30226Mar 11, 2026
    risk 0.00cvss epss 0.00

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful…

  • CVE-2026-27902Feb 26, 2026
    risk 0.00cvss epss 0.00

    Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`.…

  • CVE-2026-27901Feb 26, 2026
    risk 0.00cvss epss 0.00

    Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the…

  • CVE-2026-27125Feb 20, 2026
    risk 0.00cvss epss 0.00

    svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. ) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype…

  • CVE-2026-27122Feb 20, 2026
    risk 0.00cvss epss 0.00

    svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can…

  • CVE-2026-27121Feb 20, 2026
    risk 0.00cvss epss 0.00

    svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML…

  • CVE-2026-27119Feb 20, 2026
    risk 0.00cvss epss 0.00

    svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.…

  • CVE-2025-15265Jan 15, 2026
    risk 0.00cvss epss 0.00

    An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a to terminate the script and inject arbitrary JavaScript. This enables remote script…

  • CVE-2026-22775Jan 15, 2026
    risk 0.00cvss epss 0.00

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in…

  • CVE-2026-22774Jan 15, 2026
    risk 0.00cvss epss 0.00

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in…

  • CVE-2026-22803Jan 15, 2026
    risk 0.00cvss epss 0.01

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the…

  • CVE-2025-67647Jan 15, 2026
    risk 0.00cvss epss 0.00

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability…

  • CVE-2024-53261Nov 25, 2024
    risk 0.00cvss epss 0.00

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."…

  • CVE-2024-53262Nov 25, 2024
    risk 0.00cvss epss 0.00

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else…

  • CVE-2024-45047Aug 30, 2024
    risk 0.00cvss epss 0.00

    svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the…

  • CVE-2024-23641Jan 24, 2024
    risk 0.00cvss epss 0.01

    SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the…

  • CVE-2023-29008Apr 6, 2023
    risk 0.00cvss epss 0.00

    The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users.…

  • CVE-2023-29003Apr 4, 2023
    risk 0.00cvss epss 0.01

    SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request…

  • CVE-2022-25875Jul 12, 2022
    risk 0.00cvss epss 0.01

    The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom…

  • CVE-2021-29261Apr 5, 2021
    risk 0.00cvss epss 0.01

    The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration.