By vendor
Svelte vulnerabilities
Known CVEs affecting Svelte products, prioritized by severity, with SEC.co remediation and detection guidance.
4 published vulnerabilities
- CVE-2026-42567HIGH 7.5
Svelte, a popular web framework known for performance, contains a vulnerability in its runtime that can be exploited to cause denial-of-service attacks. When certain dynamic element tags are processed, an internal regular expression pattern can consume exponential amounts of computation time, effectively freezing or crashing an application. Attackers can trigger this by sending crafted input to applications using affected Svelte versions, disrupting service availability without needing authentication or special privileges.
- CVE-2026-42570HIGH 7.5
Svelte devalue is a widely-used JavaScript library for serializing complex data structures. Versions 5.6.3 through 5.8.0 contain a flaw in the deserialization function (devalue.parse) that allows an attacker to trigger excessive memory allocation by sending specially crafted sparse array payloads. Depending on JavaScript engine implementation quirks, this can exhaust available memory and crash applications that depend on devalue. The issue does not affect confidentiality or integrity—only availability. It has been resolved in version 5.8.1.
- CVE-2026-42573MEDIUM 6.1
Svelte, a lightweight and performance-focused web framework, contained a vulnerability in versions before 5.55.7 that allowed attackers to manipulate the browser's DOM in a way that corrupted Svelte's internal state. By exploiting DOM clobbering—a technique where attackers inject HTML elements that shadow legitimate JavaScript objects—an attacker could potentially inject malicious scripts that execute in a user's browser, leading to cross-site scripting (XSS) attacks. The vulnerability requires user interaction, such as clicking a link or visiting a malicious page, to be triggered.
- CVE-2026-42599MEDIUM 6.1
Svelte, a popular web framework, contains a vulnerability where untrusted data rendered as HTML attributes can include malicious event handlers. If your application uses Svelte's spread syntax to render attributes from user input or external sources, attackers could inject code that runs when users interact with those elements. The risk is reduced if Svelte's hydration process completes before the injected event fires, but this shouldn't be relied upon as a defense. Version 5.55.7 and later address this issue.