CVE-2026-42573: Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

May 14, 2026 (updated June 9, 2026)

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true:

you are using attribute spreading on a form element
you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form
both of these are simultaneously user-controllable

<form {...spread1}>
<input {...spread2}>
</form>

References

github.com/advisories/GHSA-rcqx-6q8c-2c42
github.com/sveltejs/svelte/releases/tag/svelte%405.55.7
github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42
nvd.nist.gov/vuln/detail/CVE-2026-42573

Code Behaviors & Features

Detect and mitigate CVE-2026-42573 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →