CVE-2026-30226
Published: 11 March 2026
Summary
CVE-2026-30226 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Svelte Devalue. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-30226 is a prototype pollution vulnerability affecting the Svelte devalue JavaScript library, which serializes values into strings when JSON.stringify is insufficient. Versions 5.6.3 and earlier are vulnerable in the devalue.parse and devalue.unflatten functions, which can be exploited through maliciously crafted payloads. The issue is classified under CWE-1321 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying crafted payloads to the affected functions, attackers can pollute the Object prototype, potentially leading to denial of service (DoS) conditions or type confusion in applications that process untrusted input through devalue.
The vulnerability is fixed in devalue version 5.6.4. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11253
Vulnerability details
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to…
more
Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution via crafted input to devalue.parse/unflatten on untrusted network data directly enables remote exploitation of public-facing apps (T1190) and application-layer DoS via resource exhaustion/type confusion (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the known flaw in devalue versions 5.6.3 and earlier by upgrading to 5.6.4 or later directly prevents prototype pollution exploitation.
Validating untrusted inputs prior to processing by devalue.parse or devalue.unflatten prevents malicious payloads from polluting the Object prototype.
Vulnerability scanning detects systems using vulnerable devalue library versions, enabling proactive remediation to mitigate prototype pollution risks.