2487076 – (CVE-2026-42599) CVE-2026-42599 svelte: Svelte: Cross-Site Scripting via untrusted data in spread attributes

Bug 2487076 (CVE-2026-42599) - CVE-2026-42599 svelte: Svelte: Cross-Site Scripting via untrusted data in spread attributes

Summary: CVE-2026-42599 svelte: Svelte: Cross-Site Scripting via untrusted data in spr...

Keywords:
Status:	NEW
Alias:	CVE-2026-42599
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-09 18:01 UTC by OSIDB Bzimport
Modified:	2026-06-10 14:53 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-09 18:01:25 UTC

Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.

Note You need to log in before you can comment on or make changes to this bug.