Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Svelte Server-Side Rendering Includes Unwanted Attributes
CVE-2026-27125
GHSA-crpf-4hrx-3jrp
Summary
When using Svelte's server-side rendering, malicious code can inject unwanted attributes into web pages. This is because Svelte doesn't prevent inherited properties from being used. To fix this, ensure your code doesn't modify the `Object.prototype` or use a library that does. Update to the latest version of Svelte if possible, and consider using a security-focused library or framework for server-side rendering.
What to do
- Update GitHub Actions svelte to version 5.51.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | svelte | <= 5.51.4 | 5.51.5 |
| svelte | svelte | <= 5.51.5 | – |
Original title
Svelte SSR attribute spreading includes inherited properties from prototype chain
Original description
In server-side rendering, attribute spreading on elements (e.g. `<div {...attrs}>`) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where `Object.prototype` has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.
nvd CVSS3.1
6.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-915
- https://github.com/sveltejs/svelte/releases/tag/[email protected] Product Release Notes
- https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27125
- https://github.com/advisories/GHSA-crpf-4hrx-3jrp
- https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee9075... Patch
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026