CVE-2026-30226 | THREATINT

Description

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.

PUBLISHED Reserved 2026-03-04 | Published 2026-03-11 | Updated 2026-03-12 | Assigner GitHub_M

MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

< 5.6.4

affected

References

github.com/...evalue/security/advisories/GHSA-cfw5-2vxh-hr84

cve.org (CVE-2026-30226)

nvd.nist.gov (CVE-2026-30226)

Download JSON