CVE-2026-42573
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
發布日:2026/5/14修改日:2026/5/14
描述
Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. You are vulnerable if all of the following is true: - you are using attribute spreading on a form element - you are using attribute spreading or allow a dynamic value for the `name` attribute on an input or button element within that form - both of these are simultaneously user-controllable ```svelte <form {...spread1}> <input {...spread2}> </form> ```
受影響套件(1)
- npm/sveltefrom 0, < 5.55.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N |