@sveltejs/kit vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
GHSA-HGV7-V322-MMGRMedium@sveltejs/kit: @sveltejs/kit: `query.batch` cross-talkCVE-2026-40074Medium@sveltejs/kit: @sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-ServiceCVE-2026-40073High@sveltejs/kit: @sveltejs/adapter-node has a BODY_SIZE_LIMIT bypassGHSA-FPG4-JHQR-589CLow@sveltejs/kit: SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)GHSA-88QP-P4QG-RQM6Medium@sveltejs/kit: CPU exhaustion in SvelteKit remote form deserialization (experimental only)GHSA-VRHM-GVG7-FPCFMedium@sveltejs/kit: Memory exhaustion in SvelteKit remote form deserialization (experimental only)CVE-2026-22803High@sveltejs/kit: @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)CVE-2025-67647High@sveltejs/kit: SvelteKit is vulnerable to denial of service and possible SSRF when using prerenderingCVE-2025-32388Medium@sveltejs/kit: @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_paramsCVE-2024-53261Low@sveltejs/kit: @sveltejs/kit vulnerable to XSS on dev mode 404 pageCVE-2024-53262Low@sveltejs/kit: @sveltejs/kit has unescaped error message included on error pageCVE-2024-23641High@sveltejs/kit: Sending a GET or HEAD request with a body crashes SvelteKitCVE-2023-29008High@sveltejs/kit: SvelteKit framework has Insufficient CSRF protection for CORS requestsCVE-2023-29003High@sveltejs/kit: SvelteKit vulnerable to Cross-Site Request Forgery

Stop the waste.
Protect your environment with Kodem.