Description
Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users.
Recommendation
Update the @sveltejs/adapter-vercel package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.3.2
- Patched version(s): 6.3.2
References
Related Issues
- Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter - CVE-2026-29793
- Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
- Cache Poisoning Vulnerability - CVE-2024-29042
- Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter - CVE-2026-27804
- Tags:
- npm
- @sveltejs/adapter-vercel
Anything's wrong? Let us know Last updated on February 23, 2026