CVE-2026-42573

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true:

• you are using attribute spreading on a form element
• you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form
• both of these are simultaneously user-controllable

<form {...spread1}>
  <input {...spread2}>
</form>