Svelte affected by cross-site scripting via spread attributes in Svelte SSR
- Severity:
- Medium
Description
Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.51.4
- Patched version(s): 5.51.5
References
Related Issues
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on February 23, 2026