PatchSiren cyber security CVE debrief
CVE-2026-42567 sveltejs CVE debrief
CVE-2026-42567 is a vulnerability in Svelte, a performance-oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.
- Vendor
- sveltejs
- Product
- svelte
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Users of Svelte framework versions between 5.51.5 and 5.55.6 should update to version 5.55.7 or later to mitigate this vulnerability.
Technical summary
The vulnerability is caused by an internal regex in the Svelte runtime that can take exponential time to test in <svelte:element this={tag}></svelte:element>. This can lead to performance issues and potential denial-of-service attacks.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Svelte to version 5.55.7 or later.
- Review and update any affected projects that use Svelte framework versions between 5.51.5 and 5.55.6.
Evidence notes
The vulnerability is patched in version 5.55.7. For more information, see resourceLinkAnnotations with id 'ref-4' and 'ref-5'.
Official resources
-
CVE-2026-42567 CVE record
CVE.org
-
CVE-2026-42567 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-42567 was published on 2026-06-09T17:17:07.100Z and modified on 2026-06-11T18:54:39.847Z.