CVE-2026-42599
Undergoing Analysis Undergoing Analysis - In Progress
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-42599
EUVD
EUVD-2026-35703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
svelte svelte to 5.55.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Svelte web framework prior to version 5.55.7. When using spread syntax to render attributes from untrusted data, event handler properties are unintentionally included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in the victim's browser.

The vulnerability only triggers if the user's browser has JavaScript enabled and Svelte's hydration mechanism does not reach the vulnerable element before the event fires.

This issue has been fixed in version 5.55.7 of Svelte.

Impact Analysis

An attacker can exploit this vulnerability to inject malicious event handlers into the HTML output of a Svelte application that uses spread syntax with untrusted data. This can lead to the execution of arbitrary JavaScript code in the victim's browser.

Such code execution can result in various impacts including theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected web application.

Mitigation Strategies

The vulnerability has been patched in Svelte version 5.55.7.

To mitigate this vulnerability, immediately upgrade your Svelte framework to version 5.55.7 or later.

Additionally, avoid spreading user-controlled or external data as element attributes in your application to prevent injection of malicious event handlers.

Compliance Impact

The vulnerability in Svelte prior to version 5.55.7 allows injection of malicious event handlers via spread syntax from untrusted data, leading to potential Cross-Site Scripting (XSS) attacks. Such XSS vulnerabilities can result in unauthorized execution of scripts in users' browsers, potentially exposing sensitive data or enabling unauthorized actions.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable XSS attacks can impact compliance by risking the confidentiality and integrity of personal or sensitive data handled by web applications. Organizations using vulnerable versions of Svelte may face increased risk of data breaches or unauthorized data access, which could lead to non-compliance with data protection regulations.

The issue has been patched in Svelte version 5.55.7, which mitigates this risk by sanitizing user-provided content and preventing such XSS vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart