CVE-2026-27118

Name of the Vulnerable Software and Affected Versions @sveltejs/adapter-vercel versions prior to 6.3.2

Description @sveltejs/adapter-vercel is a framework used for developing web applications with Svelte. A flaw exists where an internal query parameter, designed for Incremental Static Regeneration (ISR), is accessible across all routes. This allows an attacker to manipulate the caching mechanism, potentially serving sensitive, user-specific responses to unintended recipients. Exploitation requires a user to access a malicious link while logged in. While Vercel’s Web Application Firewall (WAF) provides some protection for existing deployments, upgrading is recommended. Incremental Static Regeneration (ISR) is a technique that allows you to update static content after you've built your site.

Recommendations Upgrade @sveltejs/adapter-vercel to version 6.3.2 or later.