svelte vulnerable to Cross-site Scripting

Description

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Recommendation

Update the svelte package to the latest compatible version. Followings are version details:

• Affected version(s): >= 5.46.0, <= 5.46.3
• Patched version(s): 5.46.4

References

• GHSA-6738-r8g5-qwp3
• fluidattacks.com
• CVE-2025-15265
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Svelte SSR vulnerable to cross-site scripting via spread attributes - CVE-2026-42599
• Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
• jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
• @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

svelte