Prototype Pollution in Sveltejs Devalue

CVE-2026-30226

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via mal…

Vulnerability class: Prototype Pollution

EPSS: 0.001 (34.3th percentile) — read the EPSS interpretation.

Affected products

Sveltejs Devalue — versions < 5.6.4

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84 (x_refsource_CONFIRM)