CVE-2026-42599 Overview
CVE-2026-42599 is a cross-site scripting (XSS) vulnerability [CWE-79] in the Svelte web framework. Versions prior to 5.55.7 allow attacker-controlled event handler attributes to render into HTML when applications use spread syntax to apply attributes from untrusted data. The injected handlers execute in a victim's browser when Svelte's hydration mechanism does not reach the affected element before the event fires. The Svelte maintainers patched the issue in version 5.55.7.
Critical Impact
Attackers can inject arbitrary JavaScript event handlers into pages that spread untrusted data as element attributes, leading to script execution in the victim's browser session.
Affected Products
- Svelte versions prior to 5.55.7
- Applications using attribute spread syntax with untrusted input
- Server-rendered Svelte pages where hydration may be delayed or incomplete
Discovery Timeline
- 2026-06-09 - CVE-2026-42599 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-42599
Vulnerability Analysis
The flaw resides in how Svelte renders attributes when developers use spread syntax to apply an object of attributes to an element. When the source object contains keys that begin with on followed by an event name, Svelte includes these as event handler properties in the rendered HTML output rather than filtering them. If any portion of that object originates from user-controlled or otherwise untrusted data, an attacker can supply attribute names such as onclick, onmouseover, or onerror to embed JavaScript directly in the DOM.
Exploitation requires a narrow window. The vulnerable handler only executes when JavaScript is enabled in the victim's browser and the event triggers before Svelte's client-side hydration replaces the static markup with the framework-managed event system. Static pages, slow-loading bundles, and large component trees increase the exposure window.
Root Cause
The root cause is missing sanitization of attribute keys during spread rendering. Svelte's attribute serialization did not exclude event handler properties when expanding untrusted objects, allowing arbitrary inline handlers to reach the rendered output [CWE-79].
Attack Vector
An attacker delivers a crafted payload through any input that flows into a spread attribute object on a Svelte element. The framework renders the malicious on* attribute into the HTML, and a triggered DOM event executes attacker-controlled JavaScript in the victim's origin. See the GitHub Security Advisory GHSA-pr6f-5x2q-rwfp for technical details.
Detection Methods for CVE-2026-42599
Indicators of Compromise
- Unexpected on* attribute names appearing in server-rendered HTML from Svelte applications
- Outbound requests from end-user browsers to attacker-controlled domains following page loads
- Browser console errors referencing inline event handlers on elements that should not contain them
Detection Strategies
- Audit the application source tree for spread syntax such as <element {...untrustedData}> applied to objects derived from request parameters, database records, or third-party APIs
- Review server logs for query strings, form fields, or JSON bodies containing attribute names beginning with on
- Run automated XSS scanners against staging endpoints that accept user data later reflected through spread attributes
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture inline-script violations triggered by injected handlers
- Monitor web application firewall (WAF) logs for payloads containing onerror=, onclick=, and similar patterns
- Track Svelte dependency versions in build manifests and alert on installations below 5.55.7
How to Mitigate CVE-2026-42599
Immediate Actions Required
- Upgrade Svelte to version 5.55.7 or later across all affected projects
- Inventory components that spread external data as element attributes and refactor them to pass explicit, validated props
- Deploy a strict Content Security Policy that disallows inline event handlers as a defense-in-depth control
Patch Information
The maintainers released the fix in Svelte v5.55.7. Update the dependency in package.json and rebuild and redeploy all affected applications. The advisory is available at GitHub Security Advisory GHSA-pr6f-5x2q-rwfp.
Workarounds
- Sanitize untrusted objects before spreading them by stripping any keys that match the pattern /^on/i
- Replace spread syntax with explicit attribute bindings sourced only from trusted, server-validated values
- Apply a Content Security Policy header that blocks inline scripts and inline event handlers
# Configuration example
npm install svelte@5.55.7
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

