Medium severityNVD Advisory· Published Feb 20, 2026· Updated Apr 15, 2026

CVE-2026-27118

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SvelteKit adapter-vercel cache poisoning allows attacker to poison cached responses of authenticated users via an internal ISR query parameter.

The vulnerability exists in @sveltejs/adapter-vercel versions prior to 6.3.2. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, enabling cache poisoning [1][2].

To exploit, an attacker must trick an authenticated victim into visiting a crafted link containing the ISR parameter. This causes the server to cache a response that includes the victim's sensitive data, which can then be served to other users [1].

A successful attack leads to the exposure of user-specific responses to unauthorized parties, potentially compromising sensitive information such as session tokens or personal data [2].

Vercel's Web Application Firewall (WAF) offers some protection, but the only complete fix is upgrading to version 6.3.2 or later [1]. All users are strongly advised to update immediately.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@sveltejs/adapter-vercelnpm	< 6.3.2	6.3.2

Affected products

Sveltejs/@sveltejs/adapter-vercelllm-create
Range: <6.3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9pq4-5hcf-288cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27118ghsaADVISORY
github.com/sveltejs/kit/security/advisories/GHSA-9pq4-5hcf-288cnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000