{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42573", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-28T17:26:12.084Z", "datePublished": "2026-06-09T16:21:29.313Z", "dateUpdated": "2026-06-30T02:46:14.901Z"}, "containers": {"cna": {"title": "Svelte: XSS via DOM Clobbering of Internal Framework State", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42"}, {"name": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"version": "< 5.55.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-09T16:21:29.313Z"}, "descriptions": [{"lang": "en", "value": "Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7."}], "source": {"advisory": "GHSA-rcqx-6q8c-2c42", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-09T18:25:38.450512Z", "id": "CVE-2026-42573", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-09T18:25:49.121Z"}}, {"affected": [{"cpes": ["cpe:/a:redhat:podman_desktop:1"], "defaultStatus": "unaffected", "product": "Red Hat Build of Podman Desktop", "vendor": "Red Hat"}], "datePublic": "2026-06-09T16:21:29.313Z", "descriptions": [{"lang": "en", "value": "A flaw was found in Svelte, a web framework. An attacker could exploit a DOM clobbering vulnerability, which allows manipulation of the Document Object Model (DOM) to overwrite internal framework state on elements. This could potentially lead to Cross-Site Scripting (XSS) attacks, enabling the attacker to inject malicious scripts into web pages viewed by other users."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-42573"}, {"name": "RHBZ#2487093", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487093"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42573.json"}], "timeline": [{"lang": "en", "time": "2026-06-09T18:01:50.543Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-09T16:21:29.313Z", "value": "Made public."}], "title": "svelte: Svelte: Cross-Site Scripting via DOM Clobbering", "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T02:46:14.901Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42573", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-28T17:26:12.084Z", "datePublished": "2026-06-09T16:21:29.313Z", "dateUpdated": "2026-06-09T18:25:49.121Z"}, "containers": {"cna": {"title": "Svelte: XSS via DOM Clobbering of Internal Framework State", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42"}, {"name": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"version": "< 5.55.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-09T16:21:29.313Z"}, "descriptions": [{"lang": "en", "value": "Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7."}], "source": {"advisory": "GHSA-rcqx-6q8c-2c42", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42573", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-09T18:25:38.450512Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-09T18:25:45.872Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1B40C48B-D103-49D1-8C45-38D3A9CC4294", "versionEndExcluding": "5.55.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7."}], "id": "CVE-2026-42573", "lastModified": "2026-06-11T18:46:50.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-09T17:17:07.400", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "svelte: Svelte: Cross-Site Scripting via DOM Clobbering", "id": "2487093", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487093"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.", "A flaw was found in Svelte, a web framework. An attacker could exploit a DOM clobbering vulnerability, which allows manipulation of the Document Object Model (DOM) to overwrite internal framework state on elements. This could potentially lead to Cross-Site Scripting (XSS) attacks, enabling the attacker to inject malicious scripts into web pages viewed by other users."], "mitigation": {"lang": "en:us", "value": "There is no known workaround for this Svelte framework issue in affected Red Hat build of Podman Desktop builds.\nMitigation is to update the bundled svelte dependency to version 5.55.7 or later. Red Hat build of Podman Desktop engineering is expected to deliver updated builds for affected streams (1.0 and 1.1)."}, "name": "CVE-2026-42573", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Affected", "package_name": "rh-podman-desktop.git", "product_name": "Red Hat Build of Podman Desktop"}], "public_date": "2026-06-09T16:21:29Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-42573\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42573\nhttps://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7\nhttps://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42"], "statement": "Severity: Important\nThis issue is classified as Important severity primarily because:\n- Conditions for Exploitation: The flaw is a DOM clobbering issue in the Svelte framework. Exploitation requires an application to render user-influenced markup using Svelte patterns where attacker-controlled HTML can clobber internal framework state (for example, unsafe spread of form or element attributes in a Svelte component). Remote exploitation requires a victim to interact with attacker-influenced content in the affected application (RH CVSS UI:R).\n- Impact Limitations: The vulnerability is in a front-end UI framework dependency, not a standalone network service. Impact is limited to the security context of the application that embeds the vulnerable Svelte runtime. It does not by itself grant host or cluster compromise outside that application.\n- Product Context: Red Hat Product Security analysis identified vulnerable svelte versions bundled in Red Hat build of Podman Desktop 1.0 and 1.1. \n- Upstream Stance: The upstream Svelte project and GHSA rate this issue Moderate (CVSS 5.3). Red Hat rates it Important with RH CVSS 8.1 based on network attack vector, user interaction via the desktop UI, and high confidentiality and integrity impact in the affected client application context.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.55.7)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "svelte", "source": "cna", "vendor": "sveltejs"}, "product": "svelte", "vendor": "svelte"}], "created": "2026-06-09T18:30:11.164855+00:00", "updated": "2026-06-09T20:00:17.198934+00:00", "vendors": ["svelte", "svelte$PRODUCT$svelte"]}