Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package svelte, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2026-42567 — CVSS 7.5 (high): Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can…
CVE-2026-27125 — CVSS 6.8 (medium): svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div…
CVE-2026-42599 — CVSS 6.1 (medium): Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data…
CVE-2025-15265 — CVSS 6.1 (medium): An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block…
CVE-2026-27901 — CVSS 6.1 (medium): Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on…
CVE-2026-42573 — CVSS 6.1 (medium): Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework…
CVE-2026-27119 — CVSS 5.4 (medium): svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option>…
CVE-2022-25875 — CVSS 5.4 (medium): The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of…
CVE-2026-27902 — CVSS 5.4 (medium): Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being…
CVE-2024-45047 — CVSS 5.4 (medium): svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19…
CVE-2026-27121 — CVSS 5.4 (medium): svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during…
CVE-2026-27122 — CVSS 5.4 (medium): svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided…