Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Vercel Adapter Cache Hacked by Attacker-Controlled Links
CVE-2026-27118
GHSA-9pq4-5hcf-288c
Summary
An outdated version of the Vercel adapter for Svelte can store sensitive user data in cache, which can be exploited by attackers if a user visits a malicious link with them logged in. To fix this, update the adapter to the latest version as soon as possible. Existing sites are protected by Vercel's security features, but updating is still necessary to prevent future issues.
What to do
- Update sveltejs adapter-vercel to version 6.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sveltejs | adapter-vercel | <= 6.3.2 | 6.3.2 |
Original title
Cache poisoning in @sveltejs/adapter-vercel
Original description
Versions of `@sveltejs/adapter-vercel` prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users.
Successful exploitation requires a victim to visit an attacker-controlled link while authenticated.
Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible.
Successful exploitation requires a victim to visit an attacker-controlled link while authenticated.
Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible.
nvd CVSS4.0
5.3
Vulnerability type
CWE-346
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026