CVE-2026-22774 — HIGH (7.5)

Q: How severe is CVE-2026-22774?

CVE-2026-22774 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-22774?

Check the references section above for vendor advisories and patch information. Affected products include: Svelte Devalue.

Vulnerability Description

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Svelte	Devalue	>= 5.3.0, < 5.6.2

Related Weaknesses (CWE)

CWE-405

References

FAQ

What is CVE-2026-22774?

CVE-2026-22774 is a vulnerability with a CVSS score of 7.5 (HIGH). Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume exce...

How severe is CVE-2026-22774?

CVE-2026-22774 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-22774?

Check the references section above for vendor advisories and patch information. Affected products include: Svelte Devalue.