Search criteria
8 vulnerabilities found for Svelte by Svelte
CVE-2025-15265 (GCVE-0-2025-15265)
Vulnerability from nvd – Published: 2026-01-15 19:59 – Updated: 2026-01-15 20:28
VLAI?
Title
Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)
Summary
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.
This issue affects Svelte: from 5.46.0 before 5.46.3.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Camilo Vera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15265",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T20:28:05.329081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T20:28:16.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unaffected",
"packageName": "svelte",
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "Svelte",
"vendor": "Svelte",
"versions": [
{
"lessThan": "5.46.3",
"status": "affected",
"version": "5.46.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:windows:*:*:*:*:*",
"versionEndExcluding": "5.46.3",
"versionStartIncluding": "5.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:linux:*:*:*:*:*",
"versionEndExcluding": "5.46.3",
"versionStartIncluding": "5.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:macos:*:*:*:*:*",
"versionEndExcluding": "5.46.3",
"versionStartIncluding": "5.46.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Camilo Vera"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a \u0026lt;script\u0026gt; block without HTML\u2011safe escaping, allowing \u0026lt;/script\u0026gt; to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users\u0027 browsers, with potential for session theft and account compromise.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Svelte: from 5.46.0 before 5.46.3.\u003c/p\u003e"
}
],
"value": "An SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a \u003cscript\u003e block without HTML\u2011safe escaping, allowing \u003c/script\u003e to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users\u0027 browsers, with potential for session theft and account compromise.\nThis issue affects Svelte: from 5.46.0 before 5.46.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T19:59:41.683Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/advisories/lydian"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3"
},
{
"tags": [
"patch"
],
"url": "https://fluidattacks.com/advisories/lydian"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2025-15265",
"datePublished": "2026-01-15T19:59:41.683Z",
"dateReserved": "2025-12-29T15:31:42.980Z",
"dateUpdated": "2026-01-15T20:28:16.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45047 (GCVE-0-2024-45047)
Vulnerability from nvd – Published: 2024-08-30 16:55 – Updated: 2024-08-30 18:11
VLAI?
Title
Potential mXSS vulnerability due to improper HTML escaping in svelte
Summary
svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "svelte",
"vendor": "svelte",
"versions": [
{
"lessThan": "4.2.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45047",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:09:31.713710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:11:07.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T16:55:39.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c"
}
],
"source": {
"advisory": "GHSA-8266-84wp-wv5c",
"discovery": "UNKNOWN"
},
"title": "Potential mXSS vulnerability due to improper HTML escaping in svelte"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45047",
"datePublished": "2024-08-30T16:55:39.106Z",
"dateReserved": "2024-08-21T17:53:51.331Z",
"dateUpdated": "2024-08-30T18:11:07.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25875 (GCVE-0-2022-25875)
Vulnerability from nvd – Published: 2022-07-12 14:20 – Updated: 2024-09-17 04:14
VLAI?
Title
Cross-site Scripting (XSS)
Summary
The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Severity ?
5.4 (Medium)
CWE
- Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Maurício Kishi
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.49.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maur\u00edcio Kishi"
}
],
"datePublic": "2022-07-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-12T14:20:17",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
],
"title": "Cross-site Scripting (XSS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-07-12T14:15:41.933572Z",
"ID": "CVE-2022-25875",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "svelte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.49.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Maur\u00edcio Kishi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"name": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990",
"refsource": "MISC",
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"name": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907",
"refsource": "MISC",
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25875",
"datePublished": "2022-07-12T14:20:17.950532Z",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2024-09-17T04:14:01.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29261 (GCVE-0-2021-29261)
Vulnerability from nvd – Published: 2021-04-05 06:15 – Updated: 2024-08-03 22:02
VLAI?
Summary
The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.444Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T06:15:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode",
"refsource": "MISC",
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"name": "https://github.com/sveltejs/language-tools/releases",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"name": "https://vuln.ryotak.me/advisories/3",
"refsource": "MISC",
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"name": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"name": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29261",
"datePublished": "2021-04-05T06:15:21",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-15265 (GCVE-0-2025-15265)
Vulnerability from cvelistv5 – Published: 2026-01-15 19:59 – Updated: 2026-01-15 20:28
VLAI?
Title
Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)
Summary
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.
This issue affects Svelte: from 5.46.0 before 5.46.3.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Camilo Vera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15265",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T20:28:05.329081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T20:28:16.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unaffected",
"packageName": "svelte",
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "Svelte",
"vendor": "Svelte",
"versions": [
{
"lessThan": "5.46.3",
"status": "affected",
"version": "5.46.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:windows:*:*:*:*:*",
"versionEndExcluding": "5.46.3",
"versionStartIncluding": "5.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:linux:*:*:*:*:*",
"versionEndExcluding": "5.46.3",
"versionStartIncluding": "5.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:macos:*:*:*:*:*",
"versionEndExcluding": "5.46.3",
"versionStartIncluding": "5.46.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Camilo Vera"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a \u0026lt;script\u0026gt; block without HTML\u2011safe escaping, allowing \u0026lt;/script\u0026gt; to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users\u0027 browsers, with potential for session theft and account compromise.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Svelte: from 5.46.0 before 5.46.3.\u003c/p\u003e"
}
],
"value": "An SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a \u003cscript\u003e block without HTML\u2011safe escaping, allowing \u003c/script\u003e to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users\u0027 browsers, with potential for session theft and account compromise.\nThis issue affects Svelte: from 5.46.0 before 5.46.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T19:59:41.683Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/advisories/lydian"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3"
},
{
"tags": [
"patch"
],
"url": "https://fluidattacks.com/advisories/lydian"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2025-15265",
"datePublished": "2026-01-15T19:59:41.683Z",
"dateReserved": "2025-12-29T15:31:42.980Z",
"dateUpdated": "2026-01-15T20:28:16.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45047 (GCVE-0-2024-45047)
Vulnerability from cvelistv5 – Published: 2024-08-30 16:55 – Updated: 2024-08-30 18:11
VLAI?
Title
Potential mXSS vulnerability due to improper HTML escaping in svelte
Summary
svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "svelte",
"vendor": "svelte",
"versions": [
{
"lessThan": "4.2.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45047",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:09:31.713710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:11:07.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T16:55:39.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c"
}
],
"source": {
"advisory": "GHSA-8266-84wp-wv5c",
"discovery": "UNKNOWN"
},
"title": "Potential mXSS vulnerability due to improper HTML escaping in svelte"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45047",
"datePublished": "2024-08-30T16:55:39.106Z",
"dateReserved": "2024-08-21T17:53:51.331Z",
"dateUpdated": "2024-08-30T18:11:07.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25875 (GCVE-0-2022-25875)
Vulnerability from cvelistv5 – Published: 2022-07-12 14:20 – Updated: 2024-09-17 04:14
VLAI?
Title
Cross-site Scripting (XSS)
Summary
The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Severity ?
5.4 (Medium)
CWE
- Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Maurício Kishi
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.49.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maur\u00edcio Kishi"
}
],
"datePublic": "2022-07-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-12T14:20:17",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
],
"title": "Cross-site Scripting (XSS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-07-12T14:15:41.933572Z",
"ID": "CVE-2022-25875",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "svelte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.49.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Maur\u00edcio Kishi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"name": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990",
"refsource": "MISC",
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"name": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907",
"refsource": "MISC",
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25875",
"datePublished": "2022-07-12T14:20:17.950532Z",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2024-09-17T04:14:01.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29261 (GCVE-0-2021-29261)
Vulnerability from cvelistv5 – Published: 2021-04-05 06:15 – Updated: 2024-08-03 22:02
VLAI?
Summary
The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.444Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T06:15:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode",
"refsource": "MISC",
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"name": "https://github.com/sveltejs/language-tools/releases",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"name": "https://vuln.ryotak.me/advisories/3",
"refsource": "MISC",
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"name": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"name": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29261",
"datePublished": "2021-04-05T06:15:21",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}