Svelte: ReDoS in `<svelte:element>` Tag Validation
CVE-2026-42567

5.9MEDIUM

Key Information:

Vendor

Sveltejs

Status
Svelte
Vendor
CVE Published:
9 June 2026

What is CVE-2026-42567?

Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.

Affected Version(s)

svelte >= 5.51.5, < 5.55.7

References

https://github.com/sveltejs/svelte/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/sveltejs/svelte/releases/tag/svelte%40...
x_refsource_MISC

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.