devalue has prototype pollution in devalue.parse and devalue.unflatten

GHSA-cfw5-2vxh-hr84 · CVE-2026-30226

Published Mar 12, 2026 · Modified Mar 14, 2026

Description

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

References

WEB https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-30226
PACKAGE https://github.com/sveltejs/devalue

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes