Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

sveltejs — Vulnerabilities & Security Advisories 22

Browse all 22 CVE security advisories affecting sveltejs. AI-powered Chinese analysis, POCs, and references for each vulnerability.

SvelteJS is a compiler-based JavaScript framework designed to build user interfaces by shifting work from runtime to build time, primarily targeting web application development. With twenty-two recorded Common Vulnerabilities and Exposures, its security profile reflects typical web framework risks rather than unique architectural flaws. Historically, reported issues have predominantly involved Cross-Site Scripting (XSS) stemming from improper input sanitization or unsafe rendering practices, alongside occasional server-side request forgery and information disclosure vulnerabilities. Unlike traditional frameworks, SvelteJS does not include a built-in runtime DOM, which inherently reduces certain client-side attack surfaces but shifts responsibility for secure coding practices directly to the developer. No major, widespread incidents have defined its history, though the accumulation of CVEs highlights the necessity for rigorous dependency management and code review. The framework’s security posture remains dependent on the implementation quality of individual projects rather than inherent framework weaknesses.

Top products by sveltejs: kit svelte devalue
CVE IDTitleCVSSSeverityPublished
CVE-2026-40074 SvelteKit's invalidated redirect in handle hook causes Denial-of-Service — kitCWE-755 6.5 -2026-04-10
CVE-2026-40073 SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node — kitCWE-770 5.3 -2026-04-10
CVE-2026-30226 devalue has prototype pollution in devalue.parse and devalue.unflatten — devalueCWE-1321 9.1AICriticalAI2026-03-11
CVE-2026-27902 Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers — svelteCWE-79 6.1AIMediumAI2026-02-26
CVE-2026-27901 Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` — svelteCWE-79 6.1AIMediumAI2026-02-26
CVE-2026-27125 Svelte SSR attribute spreading includes inherited properties from prototype chain — svelteCWE-915 3.7 -2026-02-20
CVE-2026-27122 Svelte SSR does not validate dynamic element tag names in `<svelte:element>` — svelteCWE-79 6.1 -2026-02-20
CVE-2026-27121 Svelte affected by cross-site scripting via spread attributes in Svelte SSR — svelteCWE-79 6.1 -2026-02-20
CVE-2026-27119 Svelte affected by XSS in SSR `<option>` element — svelteCWE-79 6.1 -2026-02-20
CVE-2026-27118 Cache poisoning in @sveltejs/adapter-vercel — kitCWE-346 5.4AIMediumAI2026-02-20
CVE-2026-22775 devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse — devalueCWE-405 7.5 High2026-01-15
CVE-2026-22774 devalue vulnerable to denial of service due to memory exhaustion in devalue.parse — devalueCWE-405 7.5 High2026-01-15
CVE-2026-22803 SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer — kitCWE-789 7.5AIHighAI2026-01-15
CVE-2025-67647 SvelteKit Denial of service and possible SSRF when using prerendering — kitCWE-248 7.5AIHighAI2026-01-15
CVE-2025-57820 Svelte devalue vulnerable to prototype pollution — devalueCWE-1321 9.1AICriticalAI2025-08-26
CVE-2025-32388 SvelteKit allows XSS via tracked search_params — kitCWE-79 5.4 Medium2025-04-15
CVE-2024-53261 Cross-Site Scripting attack (XSS) on dev mode 404 page in SvelteKit — kitCWE-79 6.1AIMediumAI2024-11-25
CVE-2024-53262 Unescaped error message included on error page in SvelteKit — kitCWE-79 7.1AIHighAI2024-11-25
CVE-2024-45047 Potential mXSS vulnerability due to improper HTML escaping in svelte — svelteCWE-79 5.4 Medium2024-08-30
CVE-2024-23641 Sending a GET or HEAD request with a body crashes SvelteKit — kitCWE-20 7.5 High2024-01-24
CVE-2023-29008 SvelteKit framework has Insufficient CSRF protection for CORS requests — kitCWE-918 8.8 High2023-04-06
CVE-2023-29003 SvelteKit has Insufficient Cross-Site Request Forgery Protection — kitCWE-352 8.8 High2023-04-04

This page lists every published CVE security advisory associated with sveltejs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.