CVE-2025-15265

Name of the Vulnerable Software and Affected Versions Svelte versions 5.46.0 through 5.46.2

Description A cross-site scripting (XSS) issue exists due to improper escaping of hydratable keys. When these keys include untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML. This allows for remote script execution in users' browsers, potentially leading to session theft and account compromise. The hydratable function uses a key to uniquely identify data, and this key is embedded into a <script> block without proper escaping. A malicious key can terminate the script and inject arbitrary JavaScript into the HTML response.

Recommendations Upgrade to a patched version of Svelte.