Skip to main content

SvelteKit CVE-2026-27118

Origin Validation Error (CWE-346)
2026-02-20 security-advisories@github.com GHSA-9pq4-5hcf-288c

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:04 vuln.today
CVE Published
Feb 20, 2026 - 22:16 nvd
N/A

DescriptionCVE.org

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.

AnalysisAI

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning.

Technical ContextAI

Classified as CWE-346 (Origin Validation Error). Affects sveltejs/adapter-vercel. SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Exi

Affected ProductsAI

Product: sveltejs/adapter-vercel. Versions: up to 6.3.2.

RemediationAI

Fixed in version 6.3.2..

Share

CVE-2026-27118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy