Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42573

CVE-2026-42573: Svelte Framework XSS Vulnerability

CVE-2026-42573 is a DOM clobbering XSS vulnerability in Svelte framework that allows attackers to manipulate internal state and execute malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-42573 Overview

CVE-2026-42573 is a Cross-Site Scripting (XSS) vulnerability in Svelte, a performance-oriented web framework. Versions prior to 5.55.7 are vulnerable to DOM clobbering of internal framework state on elements. Attackers can manipulate named DOM elements to overwrite framework internals, enabling script execution within the application context. The issue is tracked under CWE-79 and has been patched in Svelte 5.55.7.

Critical Impact

Successful exploitation allows attackers to inject and execute arbitrary JavaScript in the victim's browser, leading to session theft, credential capture, and unauthorized actions performed in the user's context.

Affected Products

  • Svelte versions prior to 5.55.7
  • Applications built on vulnerable Svelte releases that render attacker-influenced markup
  • Downstream SvelteKit projects depending on affected Svelte versions

Discovery Timeline

  • 2026-06-09 - CVE CVE-2026-42573 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-42573

Vulnerability Analysis

The vulnerability stems from Svelte's reliance on internal framework state attached to DOM elements at runtime. Attackers can introduce HTML elements with id or name attributes that collide with the framework's expected property lookups on DOM nodes. This collision, known as DOM clobbering, allows attacker-controlled markup to overwrite or shadow framework references. Once internal state is replaced with attacker-supplied values, Svelte's reactivity and rendering paths can be coerced into treating injected data as trusted, resulting in script execution.

The weakness is classified under CWE-79: Improper Neutralization of Input During Web Page Generation. It requires the application to render content where an attacker can influence element attributes, even when explicit <script> tags are sanitized away.

Root Cause

Svelte stored framework bookkeeping data on DOM elements using property names that could be shadowed by attacker-controlled named elements. Browsers expose named child elements as properties on parent containers and on the document object. When framework lookups encountered a clobbered property, they retrieved attacker data instead of trusted internal references. The patch in 5.55.7 hardens these lookups so injected markup cannot replace internal state.

Attack Vector

Exploitation requires the attacker to deliver markup that survives sanitization filters but retains attributes such as id, name, or nested anchor elements. The attacker hosts or submits content rendered by a vulnerable Svelte application, and a low-privileged user interaction triggers the clobbered property path. The attack complexity is high because the exploit depends on application-specific sanitization gaps and DOM structure. See the GitHub Security Advisory GHSA-rcqx-6q8c-2c42 for technical details.

Detection Methods for CVE-2026-42573

Indicators of Compromise

  • Rendered HTML containing unexpected named elements such as <a id="..."> or <form name="..."> whose attribute values match framework-internal identifiers.
  • Browser console errors or unexpected behavior originating from Svelte reactivity functions when processing user-supplied content.
  • Outbound requests to attacker-controlled domains originating from pages built on Svelte components that render untrusted HTML.

Detection Strategies

  • Inventory all Svelte dependencies using npm ls svelte or pnpm why svelte and flag any version below 5.55.7.
  • Run Software Composition Analysis (SCA) tooling against package-lock.json and pnpm-lock.yaml to identify transitive dependencies pulling vulnerable Svelte builds.
  • Add regression tests that render fixtures containing DOM clobbering payloads such as elements with id values matching internal property names.

Monitoring Recommendations

  • Monitor Content Security Policy (CSP) violation reports for inline script executions or unexpected event handler activations.
  • Log and alert on client-side errors emitted from Svelte runtime functions in production telemetry.
  • Track dependency update events in CI/CD pipelines to confirm Svelte upgrades reach production builds.

How to Mitigate CVE-2026-42573

Immediate Actions Required

  • Upgrade Svelte to version 5.55.7 or later across all projects and rebuild affected applications.
  • Audit components that render untrusted HTML using {@html ...} and restrict permitted tags and attributes.
  • Deploy a strict Content Security Policy that disables inline scripts and restricts script sources to trusted origins.

Patch Information

The Svelte maintainers released version 5.55.7 containing the fix. Review the Svelte 5.55.7 release notes and the GHSA-rcqx-6q8c-2c42 advisory for upgrade guidance.

Workarounds

  • Sanitize user-supplied HTML with a library such as DOMPurify before passing it into Svelte's {@html} directive, stripping id and name attributes.
  • Avoid rendering raw HTML from untrusted sources until the upgrade to 5.55.7 is complete.
  • Apply a CSP with script-src 'self' and object-src 'none' to reduce the impact of any successful injection.
bash
# Upgrade Svelte to the patched release
npm install svelte@5.55.7
# Verify the installed version
npm ls svelte

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.