CVE-2026-42573
MEDIUM 5.3Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.
NO EXPLOITATION SIGNALS
No known exploitation, public exploit, or elevated probability at this time. Track for changes.
Exploitation likelihood
0.3%chance of exploitation in 30 days · 24th percentile
○ In CISA KEV
○ Public exploit / PoC
Impact if exploited
5.3CVSS 4.0 · MEDIUM
- ConfidentialityLow
- IntegrityNone
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ⚠Complexity: Needs a race window or specific setup
- ⚠Requirements: Specific conditions must be present
✓ lowers the bar for an attacker · ⚠ raises it
Weakness (CWE)
- CWE-79: Cross-site scripting (XSS)
CVSS vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N
References
Technical & other
- https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42
- https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7
- https://access.redhat.com/security/cve/CVE-2026-42573
- https://bugzilla.redhat.com/show_bug.cgi?id=2487093
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42573.json