CVE-2026-30226

HIGH

Svelte devalue <=5.6.3 - Deserialization

Title source: llm

Description

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.

References (1)

[Vendor Advisory] https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84

Scores

CVSS v3 7.5

EPSS 0.0014

EPSS Percentile 33.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

npm/devalue 0 - 5.6.4npm

svelte/devalue < 5.6.4

Published Mar 11, 2026

Tracked Since Mar 12, 2026