CVE-2026-42573 — Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

Description

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. You are vulnerable if all of the following is true: - you are using attribute spreading on a form element - you are using attribute spreading or allow a dynamic value for the `name` attribute on an input or button element within that form - both of these are simultaneously user-controllable ```svelte <form {...spread1}> <input {...spread2}> </form> ```

How to fix CVE-2026-42573

To remediate CVE-2026-42573, upgrade the affected package to a fixed version below.

npm/svelte—upgrade to 5.55.7 or later

Is CVE-2026-42573 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-42573.

Affected packages (1)

from 0, < 5.55.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42573
PATCHgithub.com/sveltejs/svelte
WEBgithub.com/sveltejs/svelte/releases/tag/svelte%405.55.7
WEBgithub.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42