GHSA-9rmh-mm8f-r9h6

Source

https://github.com/advisories/GHSA-9rmh-mm8f-r9h6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9rmh-mm8f-r9h6/GHSA-9rmh-mm8f-r9h6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9rmh-mm8f-r9h6

Aliases

CVE-2026-42567

Published

2026-05-14T20:29:05Z

Modified

2026-05-14T20:50:01.361839Z

Severity

5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Svelte: ReDoS in `<svelte:element>` Tag Validation

Details

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

Database specific

{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:29:05Z"
}

References

Affected packages

npm / svelte

Package

Name: svelte; View open source insights on deps.dev
Purl: pkg:npm/svelte

Affected ranges

Type: SEMVER
Events: Introduced

5.51.5

Fixed

5.55.7

Database specific

last_known_affected_version_range

"<= 5.55.6"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9rmh-mm8f-r9h6/GHSA-9rmh-mm8f-r9h6.json"