Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

Description

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

Recommendation

Update the svelte package to the latest compatible version. Followings are version details:

• Affected version(s): <= 5.55.6
• Patched version(s): 5.55.7

References

• GHSA-rcqx-6q8c-2c42
• CVE-2026-42573
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
• CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function - CVE-2026-26861
• Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
• Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

How do hackers hack websites?

Tags:

npm

svelte