GHSA-rcqx-6q8c-2c42Medium

Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

Published
May 14, 2026
Last Modified
June 9, 2026

🔗 CVE IDs covered (1)

📋 Description

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true:

  • you are using attribute spreading on a form element
  • you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form
  • both of these are simultaneously user-controllable
<form {...spread1}>
  <input {...spread2}>
</form>

🎯 Affected products1

  • npm/svelte:<= 5.55.6

🔗 References (4)