Cyber Resilience

CVE-2026-30226

Medium

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 34.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30226 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Svelte Devalue. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30226 is a prototype pollution vulnerability affecting the Svelte devalue JavaScript library, which serializes values into strings when JSON.stringify is insufficient. Versions 5.6.3 and earlier are vulnerable in the devalue.parse and devalue.unflatten functions, which can be exploited through maliciously crafted payloads. The issue is classified under CWE-1321 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying crafted payloads to the affected functions, attackers can pollute the Object prototype, potentially leading to denial of service (DoS) conditions or type confusion in applications that process untrusted input through devalue.

The vulnerability is fixed in devalue version 5.6.4. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84.

EU & UK References

Vulnerability details

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to…

more

Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Prototype pollution via crafted input to devalue.parse/unflatten on untrusted network data directly enables remote exploitation of public-facing apps (T1190) and application-layer DoS via resource exhaustion/type confusion (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22775Same product: Svelte Devalue
CVE-2026-22774Same product: Svelte Devalue
CVE-2026-40073Same vendor: Svelte
CVE-2025-67647Same vendor: Svelte
CVE-2026-40074Same vendor: Svelte
CVE-2026-22803Same vendor: Svelte
CVE-2024-57080Shared CWE-1321
CVE-2024-57066Shared CWE-1321
CVE-2024-57067Shared CWE-1321
CVE-2026-30939Shared CWE-1321

Affected Assets

svelte
devalue
≤ 5.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the known flaw in devalue versions 5.6.3 and earlier by upgrading to 5.6.4 or later directly prevents prototype pollution exploitation.

prevent

Validating untrusted inputs prior to processing by devalue.parse or devalue.unflatten prevents malicious payloads from polluting the Object prototype.

detect

Vulnerability scanning detects systems using vulnerable devalue library versions, enabling proactive remediation to mitigate prototype pollution risks.

References