Description
Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users.
Recommendation
Update the @sveltejs/adapter-vercel package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.3.2
- Patched version(s): 6.3.2
References
Related Issues
- Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed - CVE-2026-41322
- Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning - @nuxt/nitro-server - CVE-2026-46342
- Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning - CVE-2026-46342
- @sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass - CVE-2026-40073
You might also like:
- Tags:
- npm
- @sveltejs/adapter-vercel
Anything's wrong? Let us know Last updated on February 23, 2026