exploitDog

CVE-2025-15265

Опубликовано: 15 янв. 2026

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.

Ссылки

https://fluidattacks.com/advisories/lydian
Exploit
Third Party Advisory
https://fluidattacks.com/advisories/lydian
Exploit
Third Party Advisory
https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*

Версия от 5.46.0 (включая) до 5.46.3 (исключая)

EPSS

Процентиль: 11%

0.00036

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-6738-r8g5-qwp3

github

23 дня назад

svelte vulnerable to Cross-site Scripting

EPSS

Процентиль: 11%

0.00036

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79