to terminate the script and inject arbitrary JavaScript. This enab","datePublished":"2026-01-15T19:59:41.683000+00:00","dateModified":"2026-01-15T20:28:16.479000+00:00","inLanguage":"pt","author":{"@type":"Organization","name":"Vexday"},"publisher":{"@type":"Organization","name":"Vexday","url":"https://vexday.io"},"mainEntityOfPage":"https://vexday.io/pt/cve/CVE-2025-15265","keywords":"CVE-2025-15265, CWE-79","breadcrumb":{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Início","item":"https://vexday.io/pt"},{"@type":"ListItem","position":2,"name":"CVE-2025-15265"}]}}← voltar

CVE-2025-15265

Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)

CVSS 5.3 MEDIUMEPSS 0.3%CWE-79

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Produtos afetados

Svelte · Svelte

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://fluidattacks.com/advisories/lydianhttps://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3