CVE-2026-27125

ADVISORY - github

Summary

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-915⁠

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.