Lucene search
K

96 matches found

OSV
OSV
added 2026/03/12 4:38 p.m.2 views

GHSA-MWV9-GP5H-FRR4 Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

In some circumstances, devalue.parse and devalue.unflatten could emit objects with proto own properties. This in and of itself is not a security vulnerability and is possible with, for example, JSON.parse as well, but it can result in prototype injection if downstream code handles it incorrectly:...

6.9CVSS5.9AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/12 4:38 p.m.12 views

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

In some circumstances, devalue.parse and devalue.unflatten could emit objects with proto own properties. This in and of itself is not a security vulnerability and is possible with, for example, JSON.parse as well, but it can result in prototype injection if downstream code handles it incorrectly:...

5.8AI score
Exploits0References4Affected Software1
vulnersOsv
vulnersOsv
added 2026/03/12 2:13 p.m.6 views

3nit-utils (>=0.30.0 <=1.0.2), 6ix (=0.0.0-canary.0) +1015 more potentially affected by CVE-2026-30226 via devalue (>=1.1.1 <=5.6.3)

devalue NPM version =1.1.1, =0.30.0, =0.0.0-canary.0, =0.1.0, =1.1.0, =1.1.0, =0.0.27, =1.0.0, =0.0.1, =0.1.0, =0.2.2, =0.2.2, =0.2.2, =0.3.0, =0.4.2 and more Source cves: CVE-2026-30226 Source advisory: OSV:GHSA-CFW5-2VXH-HR84...

7.5CVSS5.7AI score0.00373EPSS
Exploits0
OSV
OSV
added 2026/03/12 2:13 p.m.2 views

GHSA-CFW5-2VXH-HR84 devalue has prototype pollution in devalue.parse and devalue.unflatten

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service DoS or type confusion...

6.3CVSS5.9AI score0.00373EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/12 2:13 p.m.11 views

devalue has prototype pollution in devalue.parse and devalue.unflatten

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service DoS or type confusion...

7.5CVSS5.8AI score0.00373EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/12 11:27 a.m.6 views

CVE-2026-30226

A flaw was found in the Svelte devalue JavaScript library. A remote attacker could exploit a prototype pollution vulnerability by sending maliciously crafted payloads to the devalue.parse or devalue.unflatten functions. Successful exploitation of this flaw could lead to a Denial of Service DoS...

7.5CVSS5.8AI score0.00373EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/11 8:43 p.m.5 views

Prototype Pollution

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Prototype Pollution via the parse or unflatten functions. An attacker can manipulate object prototype...

7.5CVSS6.3AI score0.00373EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/03/11 8:43 p.m.10 views

@aabelmann/ui-layer (=0.0.1), @adinvadim/convex-vue (>=1.1.0 <=1.3.0) +734 more potentially affected by CVE-2026-30226 via devalue (>=4.0.1 <=5.6.3)

devalue NPM version =4.0.1, =1.1.0, =1.0.0, =0.0.1, =0.1.0, =0.2.2, =0.2.2, =0.2.2, =0.3.0, =0.5.7, =0.0.1-beta.3, =0.0.1-alpha.1, =0.0.17, =0.0.2, =0.0.10 and more Source cves: CVE-2026-30226 Source advisory: SNYK:JS-DEVALUE-15467451...

7.5CVSS5.7AI score0.00373EPSS
Exploits0
NVD
NVD
added 2026/03/11 6:16 p.m.5 views

CVE-2026-30226

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

7.5CVSS0.00373EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/11 5:47 p.m.1 views

CVE-2026-30226 devalue has prototype pollution in devalue.parse and devalue.unflatten

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

6.3CVSS5.8AI score0.00373EPSS
Exploits0References1
CVE
CVE
added 2026/03/11 5:47 p.m.12 views

CVE-2026-30226

The CVE relates to the Svelte devalue JavaScript library. Affected versions are 5.6.3 and earlier, where devalue.parse and devalue.unflatten are vulnerable to prototype pollution via malicious payloads. Exploitation can cause Denial of Service (DoS) or type confusion. The issue is mitigated by up...

7.5CVSS5.8AI score0.00373EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/11 5:47 p.m.4 views

CVE-2026-30226

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

6.3CVSS5.8AI score0.00373EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/11 5:47 p.m.29 views

CVE-2026-30226 devalue has prototype pollution in devalue.parse and devalue.unflatten

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

6.3CVSS0.00373EPSS
Exploits0References1
OSV
OSV
added 2026/03/11 5:47 p.m.3 views

CVE-2026-30226 devalue has prototype pollution in devalue.parse and devalue.unflatten

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

6.3CVSS5.8AI score0.00373EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.3 views

PT-2026-24756

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

6.3CVSS5.8AI score0.00373EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.8 views

devalue 安全漏洞

devalue is an enhanced JavaScript object serialization library developed by Svelte. Versions of devalue 5.6.3 and earlier contained a security vulnerability. This vulnerability stemmed from the susceptibility of devalue.parse and devalue.unflatten to prototype pollution attacks involving speciall...

7.5CVSS5.8AI score0.00373EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/02/19 8:29 p.m.24 views

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.2)

devalue NPM version =5.0.0, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.65, =1.1.27, =1.1.21, =1.2.263, =2.2.3, =4.0.1 and...

5.8AI score
Exploits0
Snyk
Snyk
added 2026/02/19 8:29 p.m.1 views

Allocation of Resources Without Limits or Throttling

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the uneval or stringify functions. An attack...

6.3CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/02/19 8:29 p.m.2 views

Prototype Pollution

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Prototype Pollution via the uneval method. An attacker can manipulate object prototypes by supplying...

4.4CVSS6.6AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/02/19 8:29 p.m.10 views

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.2)

devalue NPM version =5.0.0, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.65, =1.1.27, =1.1.21, =1.2.263, =2.2.3, =4.0.1 and...

5.8AI score
Exploits0
Rows per page
Query Builder