Main Vulnerability Database Vulnerabilities #VU127519

Improper Neutralization of Special Elements in Output Used by a Downstream Component in devalue - #VU127519

Published: April 24, 2026

Vulnerability identifier: #VU127519

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Rich Harris

Affected software:
devalue

Detailed vulnerability description

The vulnerability allows a remote user to modify data integrity and disclose limited information.

The vulnerability exists due to improper neutralization of special elements in uneval output generation in the uneval feature when evaling code generated from untrusted data. A remote privileged user can supply crafted input that is unevaled and later evaled to modify data integrity and disclose limited information.

Exploitation occurs only under certain circumstances when code produced by uneval is later evaluated, which can cause the output data to have a different shape from the input data.

Remediation

Install security update from vendor's website.

Sources

https://github.com/sveltejs/devalue/security/advisories/GHSA-8qm3-746x-r74r

Improper Neutralization of Special Elements in Output Used by a Downstream Component in devalue - #VU127519

Detailed vulnerability description

Remediation

Sources

Please verify you're human