CVE-2026-30226

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-30226
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30226.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-30226
Aliases
Published
2026-03-11T17:47:40.016Z
Modified
2026-03-14T13:48:38.421893Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
devalue has prototype pollution in devalue.parse and devalue.unflatten
Details

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30226.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1321"
    ]
}
References

Affected packages

Git / github.com/sveltejs/devalue

Affected ranges

Type
GIT
Repo
https://github.com/sveltejs/devalue
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6cbb3f51258e01d7769e2b3d77b6ce9ed060804b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.6.4"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.1.1
v2.*
v2.0.0
v2.0.1
v3.*
v3.0.1
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v4.*
v4.0.0
v4.0.1
v4.1.0
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v5.*
v5.0.0
v5.1.0
v5.1.1
v5.3.0
v5.3.1
v5.3.2
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.6.0
v5.6.1
v5.6.2
v5.6.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30226.json"