Advisories for Npm/Svelte package

2026

svelte is vulnerable to XSS with textarea bind:value

A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.

svelte vulnerable to Cross-site Scripting

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

2024

Svelte has a potential mXSS vulnerability due to improper HTML escaping

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

2022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.