Start your free trial today.

Protect your organization with cutting-edge cybersecurity solutions designed for resilience and efficiency. Secure your digital assets with confidence.

Your Shield Against Threats

Unleash the Power of Cybersecurity

Boost Your Security, Enhance Your Business

We solve Your Cyber Challenges

Quick Links

Resources

Deepaegis Portals

Vulnerability Advisory : Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR) with LOW Attack Complexity

Summary

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.

Impact Assessment

Timeline

Published

January 15, 2026

Last Modified

January 15, 2026

Related Advisories

to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.\nThis issue affects Svelte: from 5.46.0 before 5.46.3.","datePublished":"2026-01-15T19:59:41.683Z","dateModified":"2026-01-15T20:28:16.479Z","author":{"@type":"Organization","name":"Deepaegis","url":"https://deepaegis?.io"},"publisher":{"@type":"Organization","name":"Deepaegis","logo":{"@type":"ImageObject","url":"https://deepaegis?.io/logo?.png"}},"mainEntityOfPage":{"@type":"WebPage","@id":"https://deepaegis?.io/vulnerability-advisories/svelte-5460-hydratable-key-script-breakout-xss-ssr"},"keywords":"CVE-2025-15265, , Svelte, Svelte"}