Vulnerability Details CVE-2026-42567
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 15.3%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-42567
-
cpe:2.3:a:svelte:svelte:5.51.5
-
cpe:2.3:a:svelte:svelte:5.52.0
-
cpe:2.3:a:svelte:svelte:5.53.0
-
cpe:2.3:a:svelte:svelte:5.53.1
-
cpe:2.3:a:svelte:svelte:5.53.10
-
cpe:2.3:a:svelte:svelte:5.53.11
-
cpe:2.3:a:svelte:svelte:5.53.12
-
cpe:2.3:a:svelte:svelte:5.53.13
-
cpe:2.3:a:svelte:svelte:5.53.2
-
cpe:2.3:a:svelte:svelte:5.53.3
-
cpe:2.3:a:svelte:svelte:5.53.4
-
cpe:2.3:a:svelte:svelte:5.53.5
-
cpe:2.3:a:svelte:svelte:5.53.6
-
cpe:2.3:a:svelte:svelte:5.53.7
-
cpe:2.3:a:svelte:svelte:5.53.8
-
cpe:2.3:a:svelte:svelte:5.53.9
-
cpe:2.3:a:svelte:svelte:5.54.0
-
cpe:2.3:a:svelte:svelte:5.54.1
-
cpe:2.3:a:svelte:svelte:5.55.0
-
cpe:2.3:a:svelte:svelte:5.55.1
-
cpe:2.3:a:svelte:svelte:5.55.2
-
cpe:2.3:a:svelte:svelte:5.55.3
-
cpe:2.3:a:svelte:svelte:5.55.4
-
cpe:2.3:a:svelte:svelte:5.55.5
-
cpe:2.3:a:svelte:svelte:5.55.6