Incorrect Synchronization

Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Incorrect Synchronization via the query.batch function. An attacker can access data belonging to other users by exploiting a race condition that causes concurrent requests from different...

@sveltejs/kit: `query.batch` cross-talk

query.batch could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure...

@alexaegis/svelte-config (>=0.9.2 <=0.15.0), @builders-of-stuff/svelte-sui-wallet-adapter (>=1.1.4 <=2.1.0) +11 more potentially affected by CVE-2026-40074 via @sveltejs/kit (>=2.0.0 <=2.55.0)

@sveltejs/kit NPM version =2.0.0, =0.9.2, =1.1.4, =0.0.137, =0.1.0, =0.4.1, =5.0.0-alpha.1, =0.0.1, =1.0.1-next.0, =0.0.10, =1.0.2, =0.0.1, =1.3.0, =1.15.1 Source cves: CVE-2026-40074 Source advisory: SNYK:JS-SVELTEJSKIT-15967888...

@alexaegis/svelte-config (>=0.9.2 <=0.15.0), @builders-of-stuff/svelte-sui-wallet-adapter (>=1.1.4 <=2.1.0) +11 more potentially affected by CVE-2026-40073 via @sveltejs/kit (>=2.0.0 <=2.55.0)

@sveltejs/kit NPM version =2.0.0, =0.9.2, =1.1.4, =0.0.137, =0.1.0, =0.4.1, =5.0.0-alpha.1, =0.0.1, =1.0.1-next.0, =0.0.10, =1.0.2, =0.0.1, =1.3.0, =1.15.1 Source cves: CVE-2026-40073 Source advisory: SNYK:JS-SVELTEJSKIT-15967891...

@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass

Under certain circumstances, requests could bypass the BODYSIZELIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected...

Exploit for Server-Side Request Forgery in Svelte Sveltekit

BlueDragon Web Security An advanced web vulnerability scann...

@alexaegis/svelte-config (=0.9.2), @builders-of-stuff/svelte-sui-wallet-adapter (>=1.1.4 <=1.1.5) +2 more potentially affected by CVE-2025-32388 via @sveltejs/kit (>=2.0.0 <=2.17.3)

@sveltejs/kit NPM version =2.0.0, =1.1.4, =0.4.1, =1.0.2, =1.0.3 Source cves: CVE-2025-32388 Source advisory: OSV:GHSA-6Q87-84JW-CJHP...

@2077collective/persona (>=0.0.1 <=0.0.3), @acudac/md3-svelte (>=1.1.2 <=1.1.19) +397 more potentially affected by CVE-2024-53262 via @sveltejs/kit (>=1.0.0-next.100 <=2.8.1)

@sveltejs/kit NPM version =1.0.0-next.100, =0.0.1, =1.1.2, =1.0.1, =1.0.4, =1.0.0, =1.0.0, =1.0.0, =1.0.183, =0.0.1, =0.3.0, =0.5.7, =0.0.1-alpha.1, =0.6.1, =0.0.7, =0.0.9, =0.43.1 and more Source cves: CVE-2024-53262 Source advisory: OSV:GHSA-MH2X-FCQH-FMQV...

@alexaegis/svelte-config (>=0.9.2 <=0.14.1), @builders-of-stuff/svelte-sui-wallet-adapter (>=1.1.4 <=2.1.0) +8 more potentially affected by CVE-2024-23641 via @sveltejs/kit (>=2.0.0 <=2.49.5)

@sveltejs/kit NPM version =2.0.0, =0.9.2, =1.1.4, =0.0.137, =0.4.1, =5.0.0-alpha.1, =0.0.1, =1.0.1-next.0, =1.0.2, =0.0.1, =1.3.0, =1.12.3 Source cves: CVE-2024-23641 Source advisory: OSV:GHSA-G5M6-HXPP-FC49...

@affinity-lab/sk-messaging (>=1.0.4 <=1.0.5), @affinity-lab/sk-mik-id-sso-client (>=1.0.0 <=1.0.1) +36 more potentially affected by CVE-2023-29003 via @sveltejs/kit (>=1.0.0-next.100 <=1.13.0)

@sveltejs/kit NPM version =1.0.0-next.100, =1.0.4, =1.0.0, =1.0.0, =1.0.0, =1.1.9, =2.2.3-beta.1, =0.0.0-0d3aa317, =1.1.0, =1.0.3, =1.0.0, =1.0.3 - @medyll/slotui =0.1.61 and more Source cves: CVE-2023-29003 Source advisory: OSV:GHSA-5P75-VC5G-8RV2...

svelte 跨站请求伪造漏洞

svelte is a new way to build web applications from Svelte Open Source. A security vulnerability exists in svelte Kit versions prior to 1.15.1, which originates from bypassing protection by specifying a different "Content-Type" header value. An attacker could exploit the vulnerability to perform...