2026-01-15 19:59:41
Fluid Attacks
PUBLISHED
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.