CVE-2025-15265
MEDIUMSvelte 5.46.0-5.46.2 - Server-Side Rendering Cross-Site Scripting via Async Hydration Key Injection
Title source: llmDescription
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.
References (2)
Core 2
Core References
Exploit, Third Party Advisory third-party-advisory
https://fluidattacks.com/advisories/lydian
Third Party Advisory vendor-advisory
https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3
Scores
CVSS v3
6.1
EPSS
0.0002
EPSS Percentile
4.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
npm/svelte
5.46.0 - 5.46.4npm
svelte/svelte
5.46.0 - 5.46.3
Published
Jan 15, 2026
Tracked Since
Feb 18, 2026