{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-15T19:59:41Z",
  "bugzilla" : {
    "description" : "Svelte: Svelte: Remote script execution via Cross-Site Scripting (XSS) in async hydration",
    "id" : "2430177",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2430177"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-79",
  "details" : [ "An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.\nThis issue affects Svelte: from 5.46.0 before 5.46.3.", "A flaw was found in Svelte. A remote attacker can exploit this Cross-Site Scripting (XSS) vulnerability during asynchronous hydration by providing specially crafted input. This input, when processed, allows for the injection of arbitrary JavaScript into a user's browser due to improper escaping of attacker-controlled keys within a script block. Successful exploitation can lead to remote script execution, potentially resulting in session theft and account compromise." ],
  "statement" : "This vulnerability is rated Moderate for Red Hat products that incorporate Svelte versions 5.46.0 through 5.46.2 and utilize server-side rendering (SSR) with async hydration. Exploitation requires an attacker to control keys passed to hydratable components, leading to script injection and remote script execution in client browsers. This could result in session theft and account compromise for users interacting with affected applications.",
  "package_state" : [ {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Fix deferred",
    "package_name" : "rhdesktop/rh-podman-desktop-ext-bootc-rhel10",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-15265\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15265\nhttps://fluidattacks.com/advisories/lydian\nhttps://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3" ],
  "name" : "CVE-2025-15265",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}