CVE-2025-15265

Sažetak

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.

Reference

https://fluidattacks.com/advisories/lydian
https://fluidattacks.com/advisories/lydian
https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

16-01-2026 - 15:55

Objavljeno

15-01-2026 - 20:16