to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.\nThis issue affects Svelte: from 5.46.0 before 5.46.3.", "datePublished": "2026-01-15T19:59:41Z", "dateModified": "2026-01-15T20:28:16Z", "keywords": "CVE-2025-15265, vulnerability, CVE, security, Svelte, Svelte", "about": { "@type": "SoftwareApplication", "name": "Svelte", "applicationCategory": "SecurityApplication", "operatingSystem": "All" } }
CVE-2025-15265 MEDIUM

CVE-2025-15265: Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)

Vendor Svelte
Product Svelte
Weakness CWE-79 · XSS
Published January 15, 2026
Last update January 15, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.

Key dates

02Disclosure timeline

January 15, 2026 CVE published
January 15, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-43342 WordPress Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin <= 1.6.4 - Cross Site Scripting (XSS) vulnerability CVE-2026-40479 Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget CVE-2025-57947 WordPress Photo Gallery by Ays Plugin <= 6.3.8 - Cross Site Scripting (XSS) Vulnerability CVE-2024-29924 WordPress Premium Packages plugin <= 5.8.2 - Cross Site Scripting (XSS) vulnerability CVE-2022-46389 Cross-Site Scripting (XSS) vulnerability found on logout functionality