CVE-2026-27118

UNKNOWN 0.0

Cache poisoning in @sveltejs/adapter-vercel

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.

CWE	CWE-346
Vendor	sveltejs
Product	kit
Published	Feb 20, 2026
Last Updated	Feb 24, 2026

Stay Ahead of the Next One

Get instant alerts for sveltejs kit

Be the first to know when new unknown vulnerabilities affecting sveltejs kit are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

sveltejs / kit

< 6.3.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/sveltejs/kit/security/advisories/GHSA-9pq4-5hcf-288c