CVE-2026-27125

Name of the Vulnerable Software and Affected Versions Svelte versions prior to 5.51.5

Description Svelte is a performance-oriented web framework. In server-side rendering, attribute spreading on elements (e.g., <div {...attrs}>) enumerates inherited properties from the object's prototype chain instead of only own properties. If Object.prototype has been polluted—a condition outside of Svelte’s control—this can lead to unexpected attributes in the server-side rendering output or cause errors during server-side rendering. Client-side rendering is not affected.

Recommendations Update to version 5.51.5 or later.