Description
An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.46.0, <= 5.46.3
- Patched version(s): 5.46.4
References
Related Issues
- svelte is vulnerable to XSS with textarea bind:value - Vulnerability
- Angular vulnerable to Cross-site Scripting - CVE-2020-7676
- angular Prototype Pollution vulnerability - CVE-2019-10768
- rollbar vulnerable to prototype pollution - CVE-2025-57325
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on January 19, 2026