CVE-2026-22774

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Svelte devalue versions 5.3.0 through 5.6.1

Description Certain inputs can cause the devalue.parse function to consume excessive CPU time and/or memory, potentially leading to a denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking this assumption before creating the typed array.

Recommendations Upgrade to version 5.6.2 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-405CWE-20

Related Identifiers

CVE-2026-22774

GHSA-VW5P-8CQ8-M7MV

Affected Products

Svelte

Devalue

CVE-2026-22774

Weakness Enumeration

Related Identifiers

Affected Products

References · 10