Svelte

This hub aggregates every CVE we track for Svelte, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 13 most recently published vulnerabilities affecting Svelte.

• CVE-2026-42599Cross-site scripting via spread attributes in Svelte SSR6.1Jun 9, 2026
• CVE-2026-42567Svelte: ReDoS in `<svelte:element>` Tag Validation7.5Jun 9, 2026
• CVE-2026-42573Svelte: XSS via DOM Clobbering of Internal Framework State6.1Jun 9, 2026
• CVE-2026-27902Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers5.4Feb 26, 2026
• CVE-2026-27901Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`6.1Feb 26, 2026
• CVE-2026-27125Svelte SSR attribute spreading includes inherited properties from prototype chain6.8Feb 20, 2026
• CVE-2026-27122Svelte SSR does not validate dynamic element tag names in `<svelte:element>`5.4Feb 20, 2026
• CVE-2026-27121Svelte affected by cross-site scripting via spread attributes in Svelte SSR5.4Feb 20, 2026
• CVE-2026-27119Svelte affected by XSS in SSR `<option>` element5.4Feb 20, 2026
• CVE-2025-15265Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)6.1Jan 15, 2026
• CVE-2024-45047Potential mXSS vulnerability due to improper HTML escaping in svelte5.4Aug 30, 2024
• CVE-2022-25875Cross-site Scripting (XSS)5.4Jul 12, 2022
• CVE-2021-29261The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration.7.8Apr 5, 2021