We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.
Reserved 2025-04-06 | Published 2025-04-15 | Updated 2025-04-16 | Assigner GitHub_MCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
github.com/...js/kit/security/advisories/GHSA-6q87-84jw-cjhp
github.com/...ommit/d3300c6a67908590266c363dba7b0835d9a194cf
github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.20.6
Support options