Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
- Severity:
- Medium
Description
Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.55.6
- Patched version(s): 5.55.7
References
Related Issues
- CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function - CVE-2026-26861
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS - CVE-2026-40171
- Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
You might also like:
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on May 14, 2026


