These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-42599 is a MEDIUM severity vulnerability in Svelte, a performance-oriented web framework. Prior to version 5.55.7, it allows attackers to inject malicious event handlers via spread syntax when rendering attributes from untrusted data. This can lead to execution in victims' browsers if JavaScript is enabled and Svelte's hydration mechanism doesn't reach the vulnerable element before the event fires.
CVE-2026-42573 is a MEDIUM severity vulnerability in Svelte, a performance-oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.
CVE-2026-42570 is a HIGH severity vulnerability in Svelte devalue, a JavaScript library for serializing values into strings. Versions from 5.6.3 to before 5.8.1 are vulnerable to excessive memory consumption due to quirks in some JavaScript engines when deserializing sparse arrays. This issue has been patched in version 5.8.1.
CVE-2026-42567 is a vulnerability in Svelte, a performance-oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.