Elliott-With-The-Longest-Name-On-Github

**Name of the Vulnerable Software and Affected Versions** Svelte versions prior to 5.53.5 **Description** Svelte, a performance-oriented web framework, had an issue where the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped in versions prior to 5.53.5. This could allow for HTML injection and Cross-Site Scripting (XSS) if untrusted data is rendered as the initial value of the binding on the server. The vulnerable parameters are `innerText` and `textContent`. **Recommendations** Update to Svelte version 5.53.5 or later.

**Name of the Vulnerable Software and Affected Versions** @sveltejs/adapter-vercel versions prior to 6.3.2 **Description** @sveltejs/adapter-vercel is a framework used for developing web applications with Svelte. A flaw exists where an internal query parameter, designed for Incremental Static Regeneration (ISR), is accessible across all routes. This allows an attacker to manipulate the caching mechanism, potentially serving sensitive, user-specific responses to unintended recipients. Exploitation requires a user to access a malicious link while logged in. While Vercel’s Web Application Firewall (WAF) provides some protection for existing deployments, upgrading is recommended. Incremental Static Regeneration (ISR) is a technique that allows you to update static content after you've built your site. **Recommendations** Upgrade @sveltejs/adapter-vercel to version 6.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** Svelte versions prior to 5.51.5 **Description** A flaw exists in Svelte where, during server-side rendering, the tag name provided to the `<svelte:element this={tag}>` component is not validated or sanitized before being included in the HTML output. This can lead to HTML injection if the `tag` string contains malicious characters. Client-side rendering is not impacted by this issue. The vulnerable component is `<svelte:element this={tag}>`. The vulnerable variable is `tag`. **Recommendations** Update to version 5.51.5 or later.

**Name of the Vulnerable Software and Affected Versions** Svelte versions 5.39.3 through 5.51.4 **Description** Svelte is susceptible to a flaw where, under specific conditions, the server-side rendering of an `<option>` element fails to properly escape its content. This can lead to potential HTML injection within the server-side rendered output. Client-side rendering is not impacted by this issue. **Recommendations** Update to version 5.51.5 or later.

**Name of the Vulnerable Software and Affected Versions** Svelte versions prior to 5.51.5 **Description** Svelte is susceptible to cross-site scripting (XSS) during server-side rendering. Utilizing spread syntax with untrusted data can lead to the inclusion of event handler properties in the generated HTML. An attacker can inject malicious event handlers into the rendered HTML if an application spreads user-controlled or external data as element attributes, resulting in code execution within a victim’s browser. The vulnerability occurs when spreading data as element attributes during server-side rendering. **Recommendations** Update to version 5.51.5 or later.

**Name of the Vulnerable Software and Affected Versions** Svelte versions prior to 5.51.5 **Description** Svelte is a performance-oriented web framework. In server-side rendering, attribute spreading on elements (e.g., `<div {...attrs}>`) enumerates inherited properties from the object's prototype chain instead of only own properties. If Object.prototype has been polluted—a condition outside of Svelte’s control—this can lead to unexpected attributes in the server-side rendering output or cause errors during server-side rendering. Client-side rendering is not affected. **Recommendations** Update to version 5.51.5 or later.