svelte
28 known vulnerabilities · 0 critical · 2 high
Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
Svelte SSR attribute spreading includes inherited properties from prototype chain
svelte is vulnerable to XSS with textarea bind:value
Svelte affected by cross-site scripting via spread attributes in Svelte SSR
Svelte vulnerable to XSS when using objects during server-side rendering
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties
@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
Memory exhaustion in SvelteKit remote form deserialization (experimental only)
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
SvelteKit framework has Insufficient CSRF protection for CORS requests
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)
CPU exhaustion in SvelteKit remote form deserialization (experimental only)
SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering
Malicious code in svelte-hms-world (npm)
Malicious code in svelte-toasty (npm)
Malicious code in mapkit-example-svelte (npm)
Malicious code in svelte-autocomplete-select (npm)
@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)
Malicious code in pysvelte (npm)
Malicious code in svelte-local-storage (npm)
Malicious code in svelte-monorepo (npm)