Description
When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims’ browsers.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.55.6
- Patched version(s): 5.55.7
References
Related Issues
- Svelte affected by cross-site scripting via spread attributes in Svelte SSR - CVE-2026-27121
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters - CVE-2023-26491
You might also like:
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on May 14, 2026