CVE-2026-30226

High

Published: 11 March 2026

Published

11 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0014 33.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30226 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Svelte Devalue. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Prototype pollution via crafted input to devalue.parse/unflatten on untrusted network data directly enables remote exploitation of public-facing apps (T1190) and application-layer DoS via resource exhaustion/type confusion (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to…

Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.

Deeper analysisAI

CVE-2026-30226 is a prototype pollution vulnerability affecting the Svelte devalue JavaScript library, which serializes values into strings when JSON.stringify is insufficient. Versions 5.6.3 and earlier are vulnerable in the devalue.parse and devalue.unflatten functions, which can be exploited through maliciously crafted payloads. The issue is classified under CWE-1321 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying crafted payloads to the affected functions, attackers can pollute the Object prototype, potentially leading to denial of service (DoS) conditions or type confusion in applications that process untrusted input through devalue.

The vulnerability is fixed in devalue version 5.6.4. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84.

Details

CWE(s): CWE-1321

Affected Products

svelte

devalue

≤ 5.6.4

CVEs Like This One

CVE-2026-22775Same product: Svelte Devalue

CVE-2026-22774Same product: Svelte Devalue

CVE-2025-67647Same vendor: Svelte

CVE-2026-40074Same vendor: Svelte

CVE-2026-40073Same vendor: Svelte

CVE-2024-57083Shared CWE-1321

CVE-2024-57069Shared CWE-1321

CVE-2026-22803Same vendor: Svelte

CVE-2025-8083Shared CWE-1321

CVE-2026-30939Shared CWE-1321

References

https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84
Vendor Advisory · security-advisories@github.com