Vulnerable Library - lucide-svelte-0.564.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (lucide-svelte version) |
Remediation Possible** |
| CVE-2026-42599 |
 High |
7.7 |
svelte-5.53.5.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-42570 |
High |
7.5 |
devalue-5.6.3.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-42567 |
 Medium |
4.4 |
svelte-5.53.5.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-30226 |
 Low |
3.7 |
devalue-5.6.3.tgz |
Transitive |
0.565.0 |
❌ |
| CVE-2026-42573 |
Low |
3.5 |
svelte-5.53.5.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-42599
Vulnerable Library - svelte-5.53.5.tgz
Cybernetically enhanced web apps
Library home page: https://registry.npmjs.org/svelte/-/svelte-5.53.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- lucide-svelte-0.564.0.tgz (Root Library)
- ❌ svelte-5.53.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.
Publish Date: 2026-06-09
URL: CVE-2026-42599
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: https://github.com/sveltejs/svelte.git - svelte@5.55.7
Step up your Open Source Security Game with Mend here
CVE-2026-42570
Vulnerable Library - devalue-5.6.3.tgz
Gets the job done when JSON.stringify can't
Library home page: https://registry.npmjs.org/devalue/-/devalue-5.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- lucide-svelte-0.564.0.tgz (Root Library)
- svelte-5.53.5.tgz
- ❌ devalue-5.6.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.
Publish Date: 2026-06-09
URL: CVE-2026-42570
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: https://github.com/sveltejs/devalue.git - v5.8.1
Step up your Open Source Security Game with Mend here
CVE-2026-42567
Vulnerable Library - svelte-5.53.5.tgz
Cybernetically enhanced web apps
Library home page: https://registry.npmjs.org/svelte/-/svelte-5.53.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- lucide-svelte-0.564.0.tgz (Root Library)
- ❌ svelte-5.53.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.
Publish Date: 2026-06-09
URL: CVE-2026-42567
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: https://github.com/sveltejs/svelte.git - svelte@5.55.7
Step up your Open Source Security Game with Mend here
CVE-2026-30226
Vulnerable Library - devalue-5.6.3.tgz
Gets the job done when JSON.stringify can't
Library home page: https://registry.npmjs.org/devalue/-/devalue-5.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- lucide-svelte-0.564.0.tgz (Root Library)
- svelte-5.53.5.tgz
- ❌ devalue-5.6.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
Publish Date: 2026-03-11
URL: CVE-2026-30226
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cfw5-2vxh-hr84
Release Date: 2026-03-11
Fix Resolution (devalue): 5.6.4
Direct dependency fix Resolution (lucide-svelte): 0.565.0
Step up your Open Source Security Game with Mend here
CVE-2026-42573
Vulnerable Library - svelte-5.53.5.tgz
Cybernetically enhanced web apps
Library home page: https://registry.npmjs.org/svelte/-/svelte-5.53.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- lucide-svelte-0.564.0.tgz (Root Library)
- ❌ svelte-5.53.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.
Publish Date: 2026-06-09
URL: CVE-2026-42573
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-15
Fix Resolution: https://github.com/sveltejs/svelte.git - svelte@5.55.7
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - svelte-5.53.5.tgz
Cybernetically enhanced web apps
Library home page: https://registry.npmjs.org/svelte/-/svelte-5.53.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.
Publish Date: 2026-06-09
URL: CVE-2026-42599
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: https://github.com/sveltejs/svelte.git - svelte@5.55.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - devalue-5.6.3.tgz
Gets the job done when JSON.stringify can't
Library home page: https://registry.npmjs.org/devalue/-/devalue-5.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.
Publish Date: 2026-06-09
URL: CVE-2026-42570
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: https://github.com/sveltejs/devalue.git - v5.8.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - svelte-5.53.5.tgz
Cybernetically enhanced web apps
Library home page: https://registry.npmjs.org/svelte/-/svelte-5.53.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.
Publish Date: 2026-06-09
URL: CVE-2026-42567
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: https://github.com/sveltejs/svelte.git - svelte@5.55.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - devalue-5.6.3.tgz
Gets the job done when JSON.stringify can't
Library home page: https://registry.npmjs.org/devalue/-/devalue-5.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
Publish Date: 2026-03-11
URL: CVE-2026-30226
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cfw5-2vxh-hr84
Release Date: 2026-03-11
Fix Resolution (devalue): 5.6.4
Direct dependency fix Resolution (lucide-svelte): 0.565.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - svelte-5.53.5.tgz
Cybernetically enhanced web apps
Library home page: https://registry.npmjs.org/svelte/-/svelte-5.53.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7.
Publish Date: 2026-06-09
URL: CVE-2026-42573
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-15
Fix Resolution: https://github.com/sveltejs/svelte.git - svelte@5.55.7
Step up your Open Source Security Game with Mend here