GHSA-9pq4-5hcf-288c

Source

https://github.com/advisories/GHSA-9pq4-5hcf-288c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9pq4-5hcf-288c/GHSA-9pq4-5hcf-288c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9pq4-5hcf-288c

Aliases

CVE-2026-27118

Published

2026-02-19T15:18:02Z

Modified

2026-02-23T23:43:51.037809Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Cache poisoning in @sveltejs/adapter-vercel

Details

Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users.

Successful exploitation requires a victim to visit an attacker-controlled link while authenticated.

Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2026-02-20T22:16:29Z",
    "github_reviewed_at": "2026-02-19T15:18:02Z",
    "cwe_ids": [
        "CWE-346"
    ]
}

References

Affected packages

npm / @sveltejs/adapter-vercel

Package

Name: @sveltejs/adapter-vercel; View open source insights on deps.dev
Purl: pkg:npm/%40sveltejs/adapter-vercel

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.3.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9pq4-5hcf-288c/GHSA-9pq4-5hcf-288c.json"