{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T12:40:48.084","vulnerabilities":[{"cve":{"id":"CVE-2026-22774","sourceIdentifier":"security-advisories@github.com","published":"2026-01-15T19:16:05.813","lastModified":"2026-01-20T15:28:55.100","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2."},{"lang":"es","value":"Svelte devalue es una biblioteca de JavaScript que serializa valores en cadenas cuando JSON.stringify no es suficiente para la tarea. Desde la 5.3.0 hasta la 5.6.1, ciertas entradas pueden hacer que devalue.parse consuma tiempo de CPU y/o memoria excesivos, lo que podría llevar a una denegación de servicio en sistemas que analizan entradas de fuentes no confiables. Esto afecta a las aplicaciones que usan devalue.parse en datos suministrados externamente. La causa raíz es la hidratación de arrays tipados que espera un ArrayBuffer como entrada, pero no verifica la suposición antes de crear el array tipado. Esta vulnerabilidad está corregida en la 5.6.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-405"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:*","versionStartIncluding":"5.3.0","versionEndExcluding":"5.6.2","matchCriteriaId":"8EF7822F-5387-4831-9C9C-54BF822F0DA5"}]}]}],"references":[{"url":"https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/sveltejs/devalue/releases/tag/v5.6.2","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}