{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T18:57:50.951","vulnerabilities":[{"cve":{"id":"CVE-2026-22775","sourceIdentifier":"security-advisories@github.com","published":"2026-01-15T19:16:05.963","lastModified":"2026-01-20T15:29:35.663","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2."},{"lang":"es","value":"Svelte devalue es una biblioteca de JavaScript que serializa valores en cadenas cuando JSON.stringify no es suficiente para la tarea. Desde la versión 5.1.0 hasta la 5.6.1, ciertas entradas pueden causar que devalue.parse consuma tiempo de CPU y/o memoria excesivos, lo que podría llevar a una denegación de servicio en sistemas que analizan entradas de fuentes no confiables. Esto afecta a las aplicaciones que utilizan devalue.parse con datos suministrados externamente. La causa raíz es la hidratación de ArrayBuffer que espera cadenas codificadas en base64 como entrada, pero no verifica la suposición antes de decodificar la entrada. Esta vulnerabilidad está corregida en la versión 5.6.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-405"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:*","versionStartIncluding":"5.1.0","versionEndExcluding":"5.6.2","matchCriteriaId":"E70AD508-7046-4740-A03C-8605AC4A5F12"}]}]}],"references":[{"url":"https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/sveltejs/devalue/releases/tag/v5.6.2","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}