|
Vulnerabilities
< Back

CVE-2026-27125

Updated on 20 Feb 2026

Severity

6.8 Medium severity

Details

CVSS score
6.8
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {…attrs}>) enumerates inherited properties from the object’s prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte’s control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

Details

Affected product:
astro , language-server , language-tools , svelte , svelte2tsx
Affected packages:
svelte (+12 more)
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {…attrs}>) enumerates inherited properties from the object’s prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte’s control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

Fixes