Description
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Svelte versions prior to 5.55.7 contain a flaw that allows an attacker to clobber internal framework state on DOM elements, creating a client‑side XSS vector. By injecting crafted attribute values, malicious code can execute in the victim’s browser, potentially leading to session hijacking, data theft, or further exploitation of web application logic.

Affected Systems

The vulnerability affects the Svelte JavaScript framework from the sveltejs organization. Any application built with a Svelte version earlier than 5.55.7 is at risk, including dependencies that transitively bundle older Svelte releases.

Risk and Exploitability

The CVSS v3.1 score is 5.3, indicating moderate severity. EPSS information is not currently available, but the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a user to visit a page that uses the vulnerable Svelte build; the attacker supplies malicious attribute values that overwrite internal framework state, enabling script execution. Because the flaw is client‑side, it is broadly applicable but does not grant direct access to server‑side resources.

Generated by OpenCVE AI on June 9, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Svelte framework to version 5.55.7 or later in all project and dependency trees.
  • Run a dependency audit to ensure that no older Svelte releases remain in your build or third‑party packages.
  • Configure a strict content‑security‑policy that restricts script sources and mitigates any remaining XSS vectors.

Generated by OpenCVE AI on June 9, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rcqx-6q8c-2c42 Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 09 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte svelte
Vendors & Products Svelte
Svelte svelte

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.
Title Svelte: XSS via DOM Clobbering of Internal Framework State
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Svelte Svelte
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T03:20:42.929Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42573

cve-icon Vulnrichment

Updated: 2026-06-09T18:25:45.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:07.400

Modified: 2026-06-11T18:46:50.667

Link: CVE-2026-42573

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-09T16:21:29Z

Links: CVE-2026-42573 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')