Description
An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.46.0, <= 5.46.3
- Patched version(s): 5.46.4
References
Related Issues
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- @tiptap/extension-link vulnerable to Cross-site Scripting (XSS) - CVE-2025-14284
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on January 19, 2026