Svelte: XSS via DOM Clobbering of Internal Framework State

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

Description

Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.

Basic Information

ID CVE-2026-42573

Source GitHub_M

Published Jun 9, 2026 at 16:21

Affected Product

Vendor sveltejs

Product svelte

Version < 5.55.7

Affected Versions sveltejs svelte < 5.55.7

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.",
    "published": "2026-06-09T16:21:29.313Z",
    "modified": "2026-06-09T16:21:29.313Z",
    "type": "cve",
    "title": "Svelte: XSS via DOM Clobbering of Internal Framework State",
    "source": "GitHub_M",
    "references": "https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42\nhttps://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7",
    "id": "CVE-2026-42573",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "sveltejs svelte < 5.55.7",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "svelte",
    "version": "< 5.55.7",
    "vendor": "sveltejs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Svelte: XSS via DOM Clobbering of Internal Framework State_CVE-2026-42573