CVE-2026-27125 — MEDIUM (6.8)

Vulnerability Description

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

CVSS Score

6.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Svelte	Svelte	< 5.51.5

Related Weaknesses (CWE)

CWE-915

References

https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee9075Patch
https://github.com/sveltejs/svelte/releases/tag/[email protected]ProductRelease Notes
https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrpVendor Advisory

FAQ

What is CVE-2026-27125?

CVE-2026-27125 is a vulnerability with a CVSS score of 6.8 (MEDIUM). svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototyp...

How severe is CVE-2026-27125?

CVE-2026-27125 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27125?

Check the references section above for vendor advisories and patch information. Affected products include: Svelte Svelte.