CVE-2026-27125

UNKNOWN 0.0

Svelte SSR attribute spreading includes inherited properties from prototype chain

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

CWE	CWE-915
Vendor	sveltejs
Product	svelte
Published	Feb 20, 2026
Last Updated	Feb 25, 2026

Stay Ahead of the Next One

Get instant alerts for sveltejs svelte

Be the first to know when new unknown vulnerabilities affecting sveltejs svelte are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

sveltejs / svelte

< 5.51.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp github.com: https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f github.com: https://github.com/sveltejs/svelte/releases/tag/[email protected]