CVE-2026-30226: devalue has prototype pollution in devalue.parse and devalue.unflatten

March 12, 2026

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

References

github.com/advisories/GHSA-cfw5-2vxh-hr84
github.com/sveltejs/devalue
github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84
nvd.nist.gov/vuln/detail/CVE-2026-30226

Code Behaviors & Features

Detect and mitigate CVE-2026-30226 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →