Primary

Context

Svelte Cross-Site Scripting Vulnerability in Server-Side Rendering

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in the Svelte web framework, affecting versions prior to 5.51.5. The issue arises during server-side rendering when spread syntax is used to render attributes from untrusted data. In such cases, event handler properties can be inadvertently included in the HTML output. This allows attackers to inject malicious event handlers that execute in the browsers of users.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users can upgrade to Svelte version 5.51.5 or later to address this vulnerability.

Added: Feb 20, 2026, 11:27 PM

Updated: Feb 20, 2026, 11:27 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Svelte Cross-Site Scripting Vulnerability in Server-Side Rendering

Vulnerability

Impact

Remediation

Affected Products

svelte

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating