Human
Machine
REPRO-2026-00067 HIGH XSS
Verified
Svelte XSS via textarea bind:value in SSR
svelte (npm) Jan 17, 2026
What's the vulnerability?
A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.
Root Cause Analysis
One Command
Verify with pruva-verify
Run the Pruva CLI to automatically fetch and execute the reproduction script.
pruva-verify REPRO-2026-00067 or
pruva-verify GHSA-gw32-9rmw-qwww Install:
curl -fsSL https://pruva.dev/install.sh | sh Or Run Manually
1
Download the script
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00067/artifacts/repro/reproduction_steps.sh 2
Make executable
chmod +x reproduction_steps.sh 3
Run the script
./reproduction_steps.sh Run in a VM, container, or disposable environment. This exploits a real vulnerability.
How Pruva Reproduced This
Watch the AI agent's step-by-step process.
Loading session...