Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/svelte@3.6.6

Type npm

Namespace

Name svelte

Version 3.6.6

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.53.5

Latest_non_vulnerable_version 5.55.7

Affected_by_vulnerabilities

url VCID-2j3d-x54j-jfd1

vulnerability_id VCID-2j3d-x54j-jfd1

summary svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-45047

reference_id

reference_type

scores

value	0.00383
scoring_system	epss
scoring_elements	0.60147
published_at	2026-06-12T12:55:00Z

value	0.00383
scoring_system	epss
scoring_elements	0.60039
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-45047

reference_url

https://github.com/sveltejs/svelte

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte

reference_url

https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-45047

reference_id

CVE-2024-45047

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-45047

reference_url

https://github.com/advisories/GHSA-8266-84wp-wv5c

reference_id

GHSA-8266-84wp-wv5c

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8266-84wp-wv5c

reference_url

https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c

reference_id

GHSA-8266-84wp-wv5c

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-30T18:09:31Z/

url

https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c

fixed_packages

url pkg:npm/svelte@4.2.19

purl pkg:npm/svelte@4.2.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hh1-vzj8-bqfy

vulnerability	VCID-eub6-k2yh-suhb

vulnerability	VCID-w8kg-2qq6-xyet

vulnerability	VCID-x1g1-8b9m-5yhz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/svelte@4.2.19

aliases CVE-2024-45047, GHSA-8266-84wp-wv5c

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2j3d-x54j-jfd1

url VCID-4hh1-vzj8-bqfy

vulnerability_id VCID-4hh1-vzj8-bqfy

summary svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27122.json

reference_id

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27122.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27122

reference_id

reference_type

scores

value	0.00011
scoring_system	epss
scoring_elements	0.01383
published_at	2026-06-12T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01381
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27122

reference_url

https://github.com/sveltejs/svelte

reference_id

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2441520
reference_id	2441520
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2441520

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27122

reference_id

CVE-2026-27122

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27122

reference_url

https://github.com/advisories/GHSA-m56q-vw4c-c2cp

reference_id

GHSA-m56q-vw4c-c2cp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m56q-vw4c-c2cp

reference_url

https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp

reference_id

GHSA-m56q-vw4c-c2cp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:22:44Z/

url

https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp

fixed_packages

url pkg:npm/svelte@5.51.5

purl pkg:npm/svelte@5.51.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-eub6-k2yh-suhb

vulnerability	VCID-ycam-n781-gkf8

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5

aliases CVE-2026-27122, GHSA-m56q-vw4c-c2cp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4hh1-vzj8-bqfy

url VCID-75fv-ej35-dyd6

vulnerability_id VCID-75fv-ej35-dyd6

summary Svelte vulnerable to XSS when using objects during server-side rendering

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-25875

reference_id

reference_type

scores

value	0.00725
scoring_system	epss
scoring_elements	0.73122
published_at	2026-06-12T12:55:00Z

value	0.00725
scoring_system	epss
scoring_elements	0.73044
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-25875

reference_url

https://github.com/sveltejs/svelte

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte

reference_url

https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907

reference_url

https://github.com/sveltejs/svelte/pull/7530#23issuecomment-1158575990

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte/pull/7530#23issuecomment-1158575990

reference_url	https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990
reference_id
reference_type
scores
url	https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990

reference_url

https://snyk.io/vuln/SNYK-JS-SVELTE-2931080

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-SVELTE-2931080

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-25875

reference_id

CVE-2022-25875

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-25875

reference_url

https://github.com/advisories/GHSA-wv8q-r932-8hc7

reference_id

GHSA-wv8q-r932-8hc7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wv8q-r932-8hc7

fixed_packages

url pkg:npm/svelte@3.49.0

purl pkg:npm/svelte@3.49.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2j3d-x54j-jfd1

vulnerability	VCID-4hh1-vzj8-bqfy

vulnerability	VCID-eub6-k2yh-suhb

vulnerability	VCID-qsvk-vr5z-97hg

vulnerability	VCID-w8kg-2qq6-xyet

vulnerability	VCID-x1g1-8b9m-5yhz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/svelte@3.49.0

aliases CVE-2022-25875, GHSA-wv8q-r932-8hc7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-75fv-ej35-dyd6

url VCID-eub6-k2yh-suhb

vulnerability_id VCID-eub6-k2yh-suhb

summary Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27901.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27901.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27901

reference_id

reference_type

scores

value	0.00034
scoring_system	epss
scoring_elements	0.10472
published_at	2026-06-12T12:55:00Z

value	0.00034
scoring_system	epss
scoring_elements	0.1042
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27901

reference_url

https://github.com/sveltejs/svelte

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte

reference_url

https://github.com/sveltejs/svelte/releases/tag/svelte@5.53.5

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte/releases/tag/svelte@5.53.5

reference_url

https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d

reference_id

0df5abcae223058ceb95491470372065fb87951d

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/

url

https://github.com/sveltejs/svelte/commit/0df5abcae223058ceb95491470372065fb87951d

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2442918
reference_id	2442918
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2442918

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27901

reference_id

CVE-2026-27901

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27901

reference_url

https://github.com/advisories/GHSA-phwv-c562-gvmh

reference_id

GHSA-phwv-c562-gvmh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-phwv-c562-gvmh

reference_url

https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh

reference_id

GHSA-phwv-c562-gvmh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/

url

https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh

reference_url

https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5

reference_id

svelte%405.53.5

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:30:46Z/

url

https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5

fixed_packages

url	pkg:npm/svelte@5.53.5
purl	pkg:npm/svelte@5.53.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.53.5

aliases CVE-2026-27901, GHSA-phwv-c562-gvmh

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eub6-k2yh-suhb

url VCID-qsvk-vr5z-97hg

vulnerability_id VCID-qsvk-vr5z-97hg

summary svelte is vulnerable to XSS with textarea bind:value

references

reference_url

https://github.com/sveltejs/svelte

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte

reference_url

https://github.com/sveltejs/svelte/commit/a31dec5eb30978cff7ff4d77f4bf316841f711bc

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte/commit/a31dec5eb30978cff7ff4d77f4bf316841f711bc

reference_url

https://github.com/advisories/GHSA-gw32-9rmw-qwww

reference_id

GHSA-gw32-9rmw-qwww

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gw32-9rmw-qwww

reference_url

https://github.com/sveltejs/svelte/security/advisories/GHSA-gw32-9rmw-qwww

reference_id

GHSA-gw32-9rmw-qwww

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte/security/advisories/GHSA-gw32-9rmw-qwww

fixed_packages

url pkg:npm/svelte@3.59.2

purl pkg:npm/svelte@3.59.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2j3d-x54j-jfd1

vulnerability	VCID-4hh1-vzj8-bqfy

vulnerability	VCID-eub6-k2yh-suhb

vulnerability	VCID-w8kg-2qq6-xyet

vulnerability	VCID-x1g1-8b9m-5yhz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/svelte@3.59.2

aliases GHSA-gw32-9rmw-qwww

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qsvk-vr5z-97hg

url VCID-w8kg-2qq6-xyet

vulnerability_id VCID-w8kg-2qq6-xyet

summary svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27121.json

reference_id

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27121.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27121

reference_id

reference_type

scores

value	0.00011
scoring_system	epss
scoring_elements	0.0142
published_at	2026-06-12T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01418
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27121

reference_url

https://github.com/sveltejs/svelte

reference_id

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2441532
reference_id	2441532
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2441532

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27121

reference_id

CVE-2026-27121

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27121

reference_url

https://github.com/advisories/GHSA-f7gr-6p89-r883

reference_id

GHSA-f7gr-6p89-r883

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f7gr-6p89-r883

reference_url

https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883

reference_id

GHSA-f7gr-6p89-r883

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:31:36Z/

url

https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883

fixed_packages

url pkg:npm/svelte@5.51.5

purl pkg:npm/svelte@5.51.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-eub6-k2yh-suhb

vulnerability	VCID-ycam-n781-gkf8

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5

aliases CVE-2026-27121, GHSA-f7gr-6p89-r883

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w8kg-2qq6-xyet

url VCID-x1g1-8b9m-5yhz

vulnerability_id VCID-x1g1-8b9m-5yhz

summary svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27125.json

reference_id

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27125.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27125

reference_id

reference_type

scores

value	0.0003
scoring_system	epss
scoring_elements	0.09166
published_at	2026-06-12T12:55:00Z

value	0.0003
scoring_system	epss
scoring_elements	0.09109
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27125

reference_url

https://github.com/sveltejs/svelte

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sveltejs/svelte

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2441511
reference_id	2441511
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2441511

reference_url

https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f

reference_id

73098bb26c6f06e7fd1b0746d817d2c5ee90755f

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/

url

https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27125

reference_id

CVE-2026-27125

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27125

reference_url

https://github.com/advisories/GHSA-crpf-4hrx-3jrp

reference_id

GHSA-crpf-4hrx-3jrp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-crpf-4hrx-3jrp

reference_url

https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp

reference_id

GHSA-crpf-4hrx-3jrp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/

url

https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp

reference_url

https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5

reference_id

svelte@5.51.5

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T21:33:01Z/

url

https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5

fixed_packages

url pkg:npm/svelte@5.51.5

purl pkg:npm/svelte@5.51.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-eub6-k2yh-suhb

vulnerability	VCID-ycam-n781-gkf8

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/svelte@5.51.5

aliases CVE-2026-27125, GHSA-crpf-4hrx-3jrp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x1g1-8b9m-5yhz

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/svelte@3.6.6

Package Instance