CVE-2026-30226
devalue has prototype pollution in devalue.parse and devalue.unflatten
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
| CWE | CWE-1321 |
| Vendor | sveltejs |
| Product | devalue |
| Published | Mar 11, 2026 |
| Last Updated | Mar 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for sveltejs devalue
Be the first to know when new unknown vulnerabilities affecting sveltejs devalue are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
sveltejs / devalue
< 5.6.4