Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Svelte 跨站脚本漏洞

Svelte是Svelte开源的一种构建 Web 应用程序的新方法。 Svelte 5.46.3之前版本存在跨站脚本漏洞，该漏洞源于异步水合过程中未对攻击者控制的密钥进行HTML安全转义，可能导致远程脚本执行。

N/A

N/A