CVE-2026-27118 | THREATINT

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.

PUBLISHED Reserved 2026-02-17 | Published 2026-02-20 | Updated 2026-02-24 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-346: Origin Validation Error

Product status

< 6.3.2

affected

References

github.com/...js/kit/security/advisories/GHSA-9pq4-5hcf-288c

cve.org (CVE-2026-27118)

nvd.nist.gov (CVE-2026-27118)

Download JSON