Skip to main content

SvelteKit CVE-2026-40074

| EUVD-2026-21504 MEDIUM
Improper Handling of Exceptional Conditions (CWE-755)
2026-04-10 GitHub_M GHSA-3f6h-2hrp-w5wx
Information Disclosure
6.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 10, 2026 - 17:15 euvd
EUVD-2026-21504
Analysis Generated
Apr 10, 2026 - 17:15 vuln.today
CVE Published
Apr 10, 2026 - 16:26 nvd
MEDIUM 6.3

DescriptionNVD

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.

AnalysisAI

SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40074 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy