CVE-2026-27118
Received Received - Intake
Cache Poisoning in @sveltejs/adapter-vercel Prior to

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27118
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sveltejs adapter-vercel to 6.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects versions of @sveltejs/adapter-vercel prior to 6.3.2. It is a cache poisoning issue where an internal query parameter used for Incremental Static Regeneration (ISR) is accessible on all routes. This allows an attacker to manipulate the cache so that sensitive, user-specific responses intended for one user can be served to other users.

To exploit this vulnerability, an attacker needs a victim to visit a specially crafted link while the victim is authenticated. Although existing deployments are protected by Vercel's Web Application Firewall (WAF), users are advised to upgrade to version 6.3.2 to fix the issue.

Impact Analysis

This vulnerability can lead to sensitive user-specific data being cached and then served to other users. This means that private information intended for one user could be exposed to others, potentially leading to data leakage and privacy violations.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade @sveltejs/adapter-vercel to version 6.3.2 or later.

Existing deployments are protected by Vercel's Web Application Firewall (WAF), but upgrading is strongly recommended to fully address the cache poisoning issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27118. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart