CVE-2026-42573

Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

Published: 5/14/2026Modified: 5/14/2026

Description

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. You are vulnerable if all of the following is true: - you are using attribute spreading on a form element - you are using attribute spreading or allow a dynamic value for the `name` attribute on an input or button element within that form - both of these are simultaneously user-controllable ```svelte <form {...spread1}> <input {...spread2}> </form> ```

Affected packages (1)

npm/sveltefrom 0, < 5.55.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References (3)

PATCHhttps://github.com/sveltejs/svelte
WEBhttps://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7
WEBhttps://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42