svelte vulnerable to Cross-site Scripting

Severity:: Medium

Description

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Recommendation

Update the svelte package to the latest compatible version. Followings are version details:

Affected version(s): >= 5.46.0, <= 5.46.3
Patched version(s): 5.46.4

References

GHSA-6738-r8g5-qwp3
fluidattacks.com
CVE-2025-15265
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function - CVE-2025-66648
Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388

Tags:: npm; svelte

Anything's wrong? Let us know Last updated on January 19, 2026