CVE-2026-27118: Cache poisoning in @sveltejs/adapter-vercel

February 19, 2026 (updated February 23, 2026)

Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users.

Successful exploitation requires a victim to visit an attacker-controlled link while authenticated.

Existing deployments are protected by Vercel’s WAF, but users should upgrade as soon as possible.

References

github.com/advisories/GHSA-9pq4-5hcf-288c
github.com/sveltejs/kit
github.com/sveltejs/kit/security/advisories/GHSA-9pq4-5hcf-288c
nvd.nist.gov/vuln/detail/CVE-2026-27118

Code Behaviors & Features

Detect and mitigate CVE-2026-27118 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →