CVE-2026-27118

CVE-2026-27118 is a medium-severity vulnerability with a CVSS 4.0 base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-346.

Key facts

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.

Frequently asked questions

What is CVE-2026-27118?
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.
How severe is CVE-2026-27118?
CVE-2026-27118 has a CVSS 4.0 base score of 5.3, rated medium severity.
Is CVE-2026-27118 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (17th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-27118?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-27118 have an EU (EUVD) identifier?
Yes. CVE-2026-27118 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-7784.
When was CVE-2026-27118 published?
CVE-2026-27118 was published on 2026-02-20 and last updated on 2026-06-17.

References

Other CWE-346 vulnerabilities

Browse all CWE-346 vulnerabilities →