CVE-2026-42573: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in sveltejs svelte
Svelte versions prior to 5. 55. 7 are vulnerable to a DOM clobbering issue affecting the internal framework state on elements, which can lead to cross-site scripting (XSS) attacks. This vulnerability has been addressed in version 5. 55. 7. The CVSS 4. 0 base score is 5. 3, indicating a medium severity level.
AI Analysis
Technical Summary
CVE-2026-42573 describes a cross-site scripting (XSS) vulnerability in the Svelte web framework caused by improper neutralization of input during web page generation (CWE-79). Specifically, versions before 5.55.7 are susceptible to DOM clobbering of internal framework state on elements, potentially allowing attackers to execute malicious scripts. The issue was patched in version 5.55.7.
Potential Impact
Exploitation of this vulnerability could allow an attacker to manipulate the DOM in a way that compromises the internal state of the Svelte framework, leading to cross-site scripting attacks. This can result in unauthorized script execution in the context of the affected web application. The CVSS score of 5.3 reflects a medium impact, with network attack vector, high attack complexity, and partial privileges required.
Mitigation Recommendations
Upgrade to Svelte version 5.55.7 or later, where this vulnerability has been patched. No other official remediation or temporary fixes are indicated. Users should apply this update promptly to mitigate the risk of XSS attacks related to this issue.
CVE-2026-42573: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in sveltejs svelte
Description
Svelte versions prior to 5. 55. 7 are vulnerable to a DOM clobbering issue affecting the internal framework state on elements, which can lead to cross-site scripting (XSS) attacks. This vulnerability has been addressed in version 5. 55. 7. The CVSS 4. 0 base score is 5. 3, indicating a medium severity level.
CVSS v4.0
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42573 describes a cross-site scripting (XSS) vulnerability in the Svelte web framework caused by improper neutralization of input during web page generation (CWE-79). Specifically, versions before 5.55.7 are susceptible to DOM clobbering of internal framework state on elements, potentially allowing attackers to execute malicious scripts. The issue was patched in version 5.55.7.
Potential Impact
Exploitation of this vulnerability could allow an attacker to manipulate the DOM in a way that compromises the internal state of the Svelte framework, leading to cross-site scripting attacks. This can result in unauthorized script execution in the context of the affected web application. The CVSS score of 5.3 reflects a medium impact, with network attack vector, high attack complexity, and partial privileges required.
Mitigation Recommendations
Upgrade to Svelte version 5.55.7 or later, where this vulnerability has been patched. No other official remediation or temporary fixes are indicated. Users should apply this update promptly to mitigate the risk of XSS attacks related to this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-28T17:26:12.084Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a284cbb8dd33fbd8566453d
Added to database: 6/9/2026, 5:26:19 PM
Last enriched: 6/9/2026, 11:26:46 PM
Last updated: 6/10/2026, 6:14:47 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.