{"url":"http://public2.vulnerablecode.io/api/packages/1166071?format=json","purl":"pkg:npm/svelte@5.55.0","type":"npm","namespace":"","name":"svelte","version":"5.55.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.55.7","latest_non_vulnerable_version":"5.55.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70506?format=json","vulnerability_id":"VCID-3338-judc-5ke1","summary":"Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42573","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09141","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09128","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.0914","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14874","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42573"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42573","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42573"},{"reference_url":"https://github.com/advisories/GHSA-rcqx-6q8c-2c42","reference_id":"GHSA-rcqx-6q8c-2c42","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rcqx-6q8c-2c42"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42","reference_id":"GHSA-rcqx-6q8c-2c42","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T18:25:38Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7","reference_id":"svelte%405.55.7","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T18:25:38Z/"}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375429?format=json","purl":"pkg:npm/svelte@5.55.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.55.7"}],"aliases":["CVE-2026-42573","GHSA-rcqx-6q8c-2c42"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3338-judc-5ke1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360477?format=json","vulnerability_id":"VCID-cxqy-4aua-v3bt","summary":"Svelte: SSR XSS via Insecure Promise Serialization in hydratable\nContents of `hydratable` promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:\n- you are using `hydratable` (an experimental feature at the time of this report)\n- you are passing attacker-controlled input such that a synchronous value is hydrated, then a promise value, e.g. `hydratable('someKey', () => [synchronousValue, promiseValue])`","references":[{"reference_url":"http://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://github.com/sveltejs/svelte/commit/a16ebc67bbcf8f708360195687e1b2719463e1a4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte/commit/a16ebc67bbcf8f708360195687e1b2719463e1a4"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-f3cj-j4f6-wq85","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-f3cj-j4f6-wq85"},{"reference_url":"https://github.com/advisories/GHSA-f3cj-j4f6-wq85","reference_id":"GHSA-f3cj-j4f6-wq85","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f3cj-j4f6-wq85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375429?format=json","purl":"pkg:npm/svelte@5.55.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.55.7"}],"aliases":["GHSA-f3cj-j4f6-wq85"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cxqy-4aua-v3bt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70222?format=json","vulnerability_id":"VCID-vbz4-avaq-7kh6","summary":"Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42599.json","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42599.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42599","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10437","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10463","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.1046","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13638","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42599"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42599","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42599"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2487076","reference_id":"2487076","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2487076"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27121","reference_id":"CVE-2026-27121","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27121"},{"reference_url":"https://github.com/advisories/GHSA-pr6f-5x2q-rwfp","reference_id":"GHSA-pr6f-5x2q-rwfp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pr6f-5x2q-rwfp"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-pr6f-5x2q-rwfp","reference_id":"GHSA-pr6f-5x2q-rwfp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T18:28:29Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-pr6f-5x2q-rwfp"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7","reference_id":"svelte%405.55.7","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T18:28:29Z/"}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375429?format=json","purl":"pkg:npm/svelte@5.55.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.55.7"}],"aliases":["CVE-2026-42599","GHSA-pr6f-5x2q-rwfp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vbz4-avaq-7kh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70453?format=json","vulnerability_id":"VCID-ycam-n781-gkf8","summary":"Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42567.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42567.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42567","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11899","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15271","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15236","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15266","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42567"},{"reference_url":"https://github.com/sveltejs/svelte","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/svelte"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42567","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42567"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2487114","reference_id":"2487114","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2487114"},{"reference_url":"https://github.com/advisories/GHSA-9rmh-mm8f-r9h6","reference_id":"GHSA-9rmh-mm8f-r9h6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9rmh-mm8f-r9h6"},{"reference_url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6","reference_id":"GHSA-9rmh-mm8f-r9h6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T18:09:08Z/"}],"url":"https://github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6"},{"reference_url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7","reference_id":"svelte%405.55.7","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T18:09:08Z/"}],"url":"https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375429?format=json","purl":"pkg:npm/svelte@5.55.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.55.7"}],"aliases":["CVE-2026-42567","GHSA-9rmh-mm8f-r9h6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ycam-n781-gkf8"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.55.0"}