Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

26 advisories

Loading
@sveltejs/kit: `query.batch` cross-talk Moderate
GHSA-hgv7-v322-mmgr was published for @sveltejs/kit (npm) May 21, 2026
rafabd1 Credited to rafabd1, elliott-with-the-longest-name-on-github, dummdidumm, and anandmt elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
dummdidumm dummdidumm anandmt anandmt
Svelte: SSR XSS via Insecure Promise Serialization in hydratable Moderate
GHSA-f3cj-j4f6-wq85 was published for svelte (npm) May 14, 2026
dummdidumm Credited to dummdidumm and elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State Moderate
CVE-2026-42573 was published for svelte (npm) May 14, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and dummdidumm dummdidumm dummdidumm
Svelte: ReDoS in `<svelte:element>` Tag Validation Moderate
CVE-2026-42567 was published for svelte (npm) May 14, 2026
Meltedd Credited to Meltedd, dummdidumm, and elliott-with-the-longest-name-on-github dummdidumm dummdidumm
elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Svelte devalue: DoS via sparse array deserialization High
CVE-2026-42570 was published for devalue (npm) May 14, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, dummdidumm, and kq5y dummdidumm dummdidumm
kq5y kq5y
Svelte SSR vulnerable to cross-site scripting via spread attributes Moderate
CVE-2026-42599 was published for svelte (npm) May 14, 2026
dummdidumm Credited to dummdidumm and elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service Moderate
CVE-2026-40074 was published for @sveltejs/kit (npm) Apr 10, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass High
CVE-2026-40073 was published for @sveltejs/kit (npm) Apr 10, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and KarimPwnz KarimPwnz KarimPwnz
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, mattiasljungstrom, Wenxin-Jiang, and massif-01 KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom Wenxin-Jiang Wenxin-Jiang massif-01 massif-01
devalue has prototype pollution in devalue.parse and devalue.unflatten Moderate
CVE-2026-30226 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and jviide KarimPwnz KarimPwnz
jviide jviide
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and jviide jviide jviide
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers Moderate
CVE-2026-27902 was published for svelte (npm) Feb 26, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and maksyche KarimPwnz KarimPwnz
maksyche maksyche
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` Moderate
CVE-2026-27901 was published for svelte (npm) Feb 26, 2026
paoloricciuti Credited to paoloricciuti, elliott-with-the-longest-name-on-github, and KarimPwnz elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
KarimPwnz KarimPwnz
CPU exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-88qp-p4qg-rqm6 was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Memory exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-vrhm-gvg7-fpcf was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue affected by CPU and memory amplification from sparse arrays Low
GHSA-33hq-fvwr-56pm was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte SSR attribute spreading includes inherited properties from prototype chain Moderate
CVE-2026-27125 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte SSR does not validate dynamic element tag names in `<svelte:element>` Moderate
CVE-2026-27122 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte affected by cross-site scripting via spread attributes in Svelte SSR Moderate
CVE-2026-27121 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte affected by XSS in SSR `<option>` element Moderate
CVE-2026-27119 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and enismaholli enismaholli enismaholli
Cache poisoning in @sveltejs/adapter-vercel Moderate
CVE-2026-27118 was published for @sveltejs/adapter-vercel (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse High
CVE-2026-22775 was published for devalue (npm) Jan 15, 2026
jviide Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Rich-Harris Rich-Harris
svelte vulnerable to Cross-site Scripting Moderate
CVE-2025-15265 was published for svelte (npm) Jan 15, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, Rich-Harris, and caverav Rich-Harris Rich-Harris
caverav caverav
hashcoko Credited to hashcoko, ottomated, and elliott-with-the-longest-name-on-github ottomated ottomated
elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
ProTip! Advisories are also available from the GraphQL API