Cache Poisoning Vulnerability in SvelteKit by Vercel
CVE-2026-27118

5.3MEDIUM

Key Information:

Vendor: Sveltejs
Status: Kit
Vendor: CVE Published:; 20 February 2026

What is CVE-2026-27118?

SvelteKit, a popular framework for developing web applications, is susceptible to a cache poisoning issue identified in versions of @sveltejs/adapter-vercel prior to 6.3.2. This flaw allows an internal query parameter related to Incremental Static Regeneration (ISR) to be exposed across all routes, enabling attackers to cache sensitive, user-specific responses that could later be served to unsuspecting users. To exploit this vulnerability, an attacker must lure the victim into clicking a link controlled by them while they are authenticated. While existing deployments benefit from Vercel's Web Application Firewall (WAF) for protection, upgrading the affected package is crucial to mitigate this risk.

Affected Version(s)

kit < 6.3.2

References

https://github.com/sveltejs/kit/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 17, 2026

CVE-2026-27118 Data

JSON

Sveltejs

What is CVE-2026-27118?

Affected Version(s)

References

CVSS V4

Timeline