CVE-2026-42599: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in sveltejs svelte
Svelte versions prior to 5. 55. 7 have a cross-site scripting (XSS) vulnerability due to improper neutralization of input when using spread syntax to render attributes from untrusted data. This allows malicious event handlers to be injected into rendered HTML if user-controlled data is spread as element attributes. The vulnerability requires JavaScript enabled in the victim's browser and that Svelte's hydration does not reach the vulnerable element before the event fires. The issue is fixed in version 5. 55. 7.
AI Analysis
Technical Summary
CVE-2026-42599 describes a cross-site scripting vulnerability in the Svelte web framework before version 5.55.7. When applications use spread syntax to render attributes from untrusted sources, event handler properties are included in the output HTML, enabling injection of malicious event handlers. This vulnerability triggers only if the victim's browser has JavaScript enabled and Svelte's hydration mechanism does not process the vulnerable element before the event fires. The vulnerability is addressed by a patch in Svelte version 5.55.7.
Potential Impact
An attacker can inject malicious event handlers into the HTML output of a Svelte application, potentially executing arbitrary JavaScript in the context of the victim's browser. This can lead to cross-site scripting attacks, compromising user data or session integrity. The vulnerability requires specific conditions related to JavaScript execution and hydration timing, which may limit exploitation scenarios.
Mitigation Recommendations
This vulnerability has been patched in Svelte version 5.55.7. Users and developers should upgrade to version 5.55.7 or later to remediate this issue. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-42599: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in sveltejs svelte
Description
Svelte versions prior to 5. 55. 7 have a cross-site scripting (XSS) vulnerability due to improper neutralization of input when using spread syntax to render attributes from untrusted data. This allows malicious event handlers to be injected into rendered HTML if user-controlled data is spread as element attributes. The vulnerability requires JavaScript enabled in the victim's browser and that Svelte's hydration does not reach the vulnerable element before the event fires. The issue is fixed in version 5. 55. 7.
CVSS v4.0
Score 5.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42599 describes a cross-site scripting vulnerability in the Svelte web framework before version 5.55.7. When applications use spread syntax to render attributes from untrusted sources, event handler properties are included in the output HTML, enabling injection of malicious event handlers. This vulnerability triggers only if the victim's browser has JavaScript enabled and Svelte's hydration mechanism does not process the vulnerable element before the event fires. The vulnerability is addressed by a patch in Svelte version 5.55.7.
Potential Impact
An attacker can inject malicious event handlers into the HTML output of a Svelte application, potentially executing arbitrary JavaScript in the context of the victim's browser. This can lead to cross-site scripting attacks, compromising user data or session integrity. The vulnerability requires specific conditions related to JavaScript execution and hydration timing, which may limit exploitation scenarios.
Mitigation Recommendations
This vulnerability has been patched in Svelte version 5.55.7. Users and developers should upgrade to version 5.55.7 or later to remediate this issue. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-29T00:31:15.725Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a284cbb8dd33fbd85664541
Added to database: 6/9/2026, 5:26:19 PM
Last enriched: 6/9/2026, 11:26:41 PM
Last updated: 6/10/2026, 6:22:32 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.