Primary

Context

SvelteKit Cache Poisoning Vulnerability in @sveltejs/adapter-vercel

Vulnerability

A cache poisoning vulnerability exists in SvelteKit's @sveltejs/adapter-vercel package, affecting versions through 6.3.1. The issue arises because an internal query parameter meant for Incremental Static Regeneration (ISR) is exposed on all routes. This vulnerability allows an attacker to manipulate caching mechanisms, causing sensitive user-specific responses to be stored and served to other users. Exploitation requires a victim to click on an attacker-controlled link while authenticated. While Vercel's Web Application Firewall (WAF) provides some protection for existing deployments, users are advised to upgrade to version 6.3.2 as soon as possible.

Impact

Exploitation of this vulnerability leads to cache poisoning, where sensitive user-specific responses are cached and served to other users.

Remediation

Users should upgrade to version 6.3.2 of @sveltejs/adapter-vercel.

Added: Feb 20, 2026, 10:18 PM

Updated: Feb 20, 2026, 10:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SvelteKit Cache Poisoning Vulnerability in @sveltejs/adapter-vercel

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating