Primary

Context

Svelte Event Handler Injection Vulnerability via Spread Syntax in Untrusted Data

Vulnerability

Patched

A cross-site scripting vulnerability has been identified in Svelte versions prior to 5.55.7. When spread syntax is used to render attributes from untrusted data, event handler properties can be inadvertently included in the HTML output. This allows attackers to inject malicious event handlers that execute in the context of the victim's browser. The issue arises only if JavaScript is enabled and Svelte's hydration process does not reach the affected element before the event is triggered.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected event handlers can execute malicious scripts in the context of the user's browser.

Remediation

Users can upgrade to Svelte version 5.55.7 or later to address this vulnerability.

Added: Jun 9, 2026, 8:08 PM

Updated: Jun 9, 2026, 8:08 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

4.0

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

4.0

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Svelte Event Handler Injection Vulnerability via Spread Syntax in Untrusted Data

Vulnerability

Impact

Remediation

Affected Products

Svelte

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating