OsVault/npm/svelte
npm

svelte

34 known vulnerabilities · 0 critical · 2 high

CVE-2026-27122

Svelte SSR does not validate dynamic element tag names in `<svelte:element>`

Published Feb 19, 2026
CVE-2026-27125

Svelte SSR attribute spreading includes inherited properties from prototype chain

Published Feb 19, 2026
GHSA-gw32-9rmw-qwww

svelte is vulnerable to XSS with textarea bind:value

Published Jan 16, 2026
CVE-2026-27121

Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Published Feb 19, 2026
CVE-2026-27119

Svelte affected by XSS in SSR `<option>` element

Published Feb 19, 2026
GHSA-9rmh-mm8f-r9h6

Svelte: ReDoS in `<svelte:element>` Tag Validation

Published May 14, 2026
GHSA-f3cj-j4f6-wq85

Svelte: SSR XSS via Insecure Promise Serialization in hydratable

Published May 14, 2026
GHSA-pr6f-5x2q-rwfp

Svelte SSR vulnerable to cross-site scripting via spread attributes

Published May 14, 2026
GHSA-rcqx-6q8c-2c42

Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

Published May 14, 2026
CVE-2026-27901

Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`

Published Feb 26, 2026
CVE-2025-15265

svelte vulnerable to Cross-site Scripting

Published Jan 15, 2026
CVE-2026-27902

Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Published Feb 26, 2026
CVE-2022-25875MEDIUM

Svelte vulnerable to XSS when using objects during server-side rendering

Published Jul 13, 2022
GHSA-vrhm-gvg7-fpcf

Memory exhaustion in SvelteKit remote form deserialization (experimental only)

Published Feb 19, 2026
CVE-2025-62381

`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`

Published Oct 15, 2025
CVE-2026-27118

Cache poisoning in @sveltejs/adapter-vercel

Published Feb 19, 2026
GHSA-mwv9-gp5h-frr4

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

Published Mar 12, 2026
CVE-2023-29008HIGH

SvelteKit framework has Insufficient CSRF protection for CORS requests

Published Apr 7, 2023
GHSA-2crg-3p73-43xp

@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass

Published Apr 10, 2026
GHSA-3f6h-2hrp-w5wx

@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service

Published Apr 10, 2026
GHSA-88qp-p4qg-rqm6

CPU exhaustion in SvelteKit remote form deserialization (experimental only)

Published Feb 19, 2026
GHSA-77vg-94rm-hx3p

Svelte devalue: DoS via sparse array deserialization

Published May 14, 2026
CVE-2023-29003HIGH

SvelteKit vulnerable to Cross-Site Request Forgery

Published Apr 4, 2023
CVE-2025-67647

SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering

Published Jan 15, 2026
MAL-2025-191017

Malicious code in svelte-toasty (npm)

Published Nov 24, 2025
MAL-2026-523

Malicious code in mapkit-example-svelte (npm)

Published Jan 27, 2026
GHSA-fpg4-jhqr-589c

SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Published Feb 28, 2026
CVE-2026-22803

@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)

Published Jan 15, 2026
MAL-2025-4892

Malicious code in svelte-local-storage (npm)

Published Jun 10, 2025
MAL-2024-9187

Malicious code in svelte-hms-world (npm)

Published Oct 9, 2024
MAL-2026-151

Malicious code in svelte-monorepo (npm)

Published Jan 8, 2026
GHSA-hgv7-v322-mmgr

@sveltejs/kit: `query.batch` cross-talk

Published May 21, 2026
MAL-2025-5086

Malicious code in pysvelte (npm)

Published Jun 18, 2025
MAL-2025-191016

Malicious code in svelte-autocomplete-select (npm)

Published Nov 24, 2025
Check your entire dependency tree at onceRun dependency scan →