sveltejs

Top products

The 15 most recently published vulnerabilities affecting sveltejs.

• CVE-2026-42599Cross-site scripting via spread attributes in Svelte SSR6.1Jun 9, 2026
• CVE-2026-42567Svelte: ReDoS in `<svelte:element>` Tag Validation7.5Jun 9, 2026
• CVE-2026-42573Svelte: XSS via DOM Clobbering of Internal Framework State6.1Jun 9, 2026
• CVE-2026-42570Svelte devalue: DoS via sparse array deserialization7.5Jun 9, 2026
• CVE-2026-40074SvelteKit's invalidated redirect in handle hook causes Denial-of-Service7.5Apr 10, 2026
• CVE-2026-40073SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node7.5Apr 10, 2026
• CVE-2026-30226devalue has prototype pollution in devalue.parse and devalue.unflatten7.5Mar 11, 2026
• CVE-2026-27902Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers5.4Feb 26, 2026
• CVE-2026-27901Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`6.1Feb 26, 2026
• CVE-2026-27125Svelte SSR attribute spreading includes inherited properties from prototype chain6.8Feb 20, 2026
• CVE-2026-27122Svelte SSR does not validate dynamic element tag names in `<svelte:element>`5.4Feb 20, 2026
• CVE-2026-27121Svelte affected by cross-site scripting via spread attributes in Svelte SSR5.4Feb 20, 2026
• CVE-2026-27119Svelte affected by XSS in SSR `<option>` element5.4Feb 20, 2026
• CVE-2026-22775devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse7.5Jan 15, 2026
• CVE-2026-22774devalue vulnerable to denial of service due to memory exhaustion in devalue.parse7.5Jan 15, 2026