Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40sveltejs/kit@1.0.0-next.224
Typenpm
Namespace@sveltejs
Namekit
Version1.0.0-next.224
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.57.1
Latest_non_vulnerable_version2.60.1
Affected_by_vulnerabilities
0
url VCID-5q8f-ekd9-57fe
vulnerability_id VCID-5q8f-ekd9-57fe
summary SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact. The Vite development is not exposed to the network by default and even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data. None the less this issue has been addressed in version 2.8.3 and all users are advised to upgrade.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53261
reference_id
reference_type
scores
0
value 0.00247
scoring_system epss
scoring_elements 0.4836
published_at 2026-06-12T12:55:00Z
1
value 0.00247
scoring_system epss
scoring_elements 0.48363
published_at 2026-06-14T12:55:00Z
2
value 0.00247
scoring_system epss
scoring_elements 0.48378
published_at 2026-06-13T12:55:00Z
3
value 0.00247
scoring_system epss
scoring_elements 0.48223
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53261
1
reference_url https://github.com/sveltejs/kit
reference_id
reference_type
scores
0
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit
2
reference_url https://github.com/sveltejs/kit/pull/13039
reference_id
reference_type
scores
0
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit/pull/13039
3
reference_url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3
reference_id
reference_type
scores
0
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53261
reference_id
reference_type
scores
0
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53261
5
reference_url https://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438
reference_id d338d4635a7fd947ba5112df6ee632c4a0979438
reference_type
scores
0
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
1
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:01:35Z/
url https://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438
6
reference_url https://github.com/advisories/GHSA-rjjv-87mx-6x3h
reference_id GHSA-rjjv-87mx-6x3h
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rjjv-87mx-6x3h
7
reference_url https://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h
reference_id GHSA-rjjv-87mx-6x3h
reference_type
scores
0
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:01:35Z/
url https://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h
fixed_packages
0
url pkg:npm/%40sveltejs/kit@2.8.3
purl pkg:npm/%40sveltejs/kit@2.8.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-epuv-msbd-u7g9
1
vulnerability VCID-px8a-8ars-83f9
2
vulnerability VCID-zxhq-skg2-muaq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.8.3
aliases CVE-2024-53261, GHSA-rjjv-87mx-6x3h
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5q8f-ekd9-57fe
1
url VCID-8a8x-bx31-5yfg
vulnerability_id VCID-8a8x-bx31-5yfg
summary 
SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods.

SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value.

If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts.

SvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`, `PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-29003
reference_id
reference_type
scores
0
value 0.00259
scoring_system epss
scoring_elements 0.49596
published_at 2026-06-11T12:55:00Z
1
value 0.00259
scoring_system epss
scoring_elements 0.49739
published_at 2026-06-14T12:55:00Z
2
value 0.00259
scoring_system epss
scoring_elements 0.49732
published_at 2026-06-12T12:55:00Z
3
value 0.00259
scoring_system epss
scoring_elements 0.49751
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-29003
1
reference_url https://github.com/sveltejs/kit
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-29003
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-29003
3
reference_url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1
reference_id %40sveltejs%2Fkit%401.15.1
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-10T21:29:10Z/
url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1
4
reference_url https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123
reference_id bb2253d51d00aba2e4353952d4fb0dcde6c77123
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-10T21:29:10Z/
url https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123
5
reference_url https://github.com/advisories/GHSA-5p75-vc5g-8rv2
reference_id GHSA-5p75-vc5g-8rv2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5p75-vc5g-8rv2
6
reference_url https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2
reference_id GHSA-5p75-vc5g-8rv2
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-10T21:29:10Z/
url https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2
fixed_packages
0
url pkg:npm/%40sveltejs/kit@1.15.1
purl pkg:npm/%40sveltejs/kit@1.15.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5q8f-ekd9-57fe
1
vulnerability VCID-epuv-msbd-u7g9
2
vulnerability VCID-px8a-8ars-83f9
3
vulnerability VCID-qv9g-usgy-5ycq
4
vulnerability VCID-ykw8-33gd-t3f1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@1.15.1
aliases CVE-2023-29003, GHSA-5p75-vc5g-8rv2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8a8x-bx31-5yfg
2
url VCID-epuv-msbd-u7g9
vulnerability_id VCID-epuv-msbd-u7g9
summary SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40073
reference_id
reference_type
scores
0
value 0.0009
scoring_system epss
scoring_elements 0.25599
published_at 2026-06-11T12:55:00Z
1
value 0.0009
scoring_system epss
scoring_elements 0.25813
published_at 2026-06-13T12:55:00Z
2
value 0.0009
scoring_system epss
scoring_elements 0.25797
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40073
1
reference_url https://github.com/sveltejs/kit
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit
2
reference_url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40073
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40073
4
reference_url https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95
reference_id 3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:04:15Z/
url https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95
5
reference_url https://github.com/advisories/GHSA-2crg-3p73-43xp
reference_id GHSA-2crg-3p73-43xp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2crg-3p73-43xp
6
reference_url https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp
reference_id GHSA-2crg-3p73-43xp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:04:15Z/
url https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp
7
reference_url https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1
reference_id kit@2.57.1
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:04:15Z/
url https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1
fixed_packages
0
url pkg:npm/%40sveltejs/kit@2.57.1
purl pkg:npm/%40sveltejs/kit@2.57.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.57.1
aliases CVE-2026-40073, GHSA-2crg-3p73-43xp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-epuv-msbd-u7g9
3
url VCID-px8a-8ars-83f9
vulnerability_id VCID-px8a-8ars-83f9
summary SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40074
reference_id
reference_type
scores
0
value 0.00057
scoring_system epss
scoring_elements 0.18318
published_at 2026-06-14T12:55:00Z
1
value 0.00057
scoring_system epss
scoring_elements 0.18158
published_at 2026-06-11T12:55:00Z
2
value 0.00057
scoring_system epss
scoring_elements 0.18343
published_at 2026-06-13T12:55:00Z
3
value 0.00057
scoring_system epss
scoring_elements 0.1832
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40074
1
reference_url https://github.com/sveltejs/kit
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit
2
reference_url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40074
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40074
4
reference_url https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
reference_id 10d7b44425c3d9da642eecce373d0c6ef83b4fcd
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:17:18Z/
url https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
5
reference_url https://github.com/advisories/GHSA-3f6h-2hrp-w5wx
reference_id GHSA-3f6h-2hrp-w5wx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3f6h-2hrp-w5wx
6
reference_url https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx
reference_id GHSA-3f6h-2hrp-w5wx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:17:18Z/
url https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx
7
reference_url https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1
reference_id kit@2.57.1
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:17:18Z/
url https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1
fixed_packages
0
url pkg:npm/%40sveltejs/kit@2.57.1
purl pkg:npm/%40sveltejs/kit@2.57.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.57.1
aliases CVE-2026-40074, GHSA-3f6h-2hrp-w5wx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-px8a-8ars-83f9
4
url VCID-qv9g-usgy-5ycq
vulnerability_id VCID-qv9g-usgy-5ycq
summary SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53262
reference_id
reference_type
scores
0
value 0.00193
scoring_system epss
scoring_elements 0.41139
published_at 2026-06-11T12:55:00Z
1
value 0.00193
scoring_system epss
scoring_elements 0.41315
published_at 2026-06-14T12:55:00Z
2
value 0.00193
scoring_system epss
scoring_elements 0.41325
published_at 2026-06-13T12:55:00Z
3
value 0.00193
scoring_system epss
scoring_elements 0.41306
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53262
1
reference_url https://github.com/sveltejs/kit
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit
2
reference_url https://github.com/sveltejs/kit/pull/13050
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit/pull/13050
3
reference_url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53262
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53262
5
reference_url https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794
reference_id 134e36343ef57ed7e6e2b3bb9e7f05ad37865794
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:23:50Z/
url https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794
6
reference_url https://kit.svelte.dev/docs/errors
reference_id errors
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:23:50Z/
url https://kit.svelte.dev/docs/errors
7
reference_url https://github.com/advisories/GHSA-mh2x-fcqh-fmqv
reference_id GHSA-mh2x-fcqh-fmqv
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mh2x-fcqh-fmqv
8
reference_url https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv
reference_id GHSA-mh2x-fcqh-fmqv
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
3
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
4
value LOW
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:23:50Z/
url https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv
fixed_packages
0
url pkg:npm/%40sveltejs/kit@2.8.3
purl pkg:npm/%40sveltejs/kit@2.8.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-epuv-msbd-u7g9
1
vulnerability VCID-px8a-8ars-83f9
2
vulnerability VCID-zxhq-skg2-muaq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.8.3
aliases CVE-2024-53262, GHSA-mh2x-fcqh-fmqv
risk_score 1.9
exploitability 0.5
weighted_severity 3.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qv9g-usgy-5ycq
5
url VCID-ykw8-33gd-t3f1
vulnerability_id VCID-ykw8-33gd-t3f1
summary 
The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods.

SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed in versions prior to 1.15.2 by simply specifying an upper-cased `Content-Type` header value. The browser will not send uppercase characters, but this check does not block all expected CORS requests.

If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. This may lead to all POST operations requiring authentication being allowed in the following cases: If the target site sets `SameSite=None` on its auth cookie and the user visits a malicious site in a Chromium-based browser; if the target site doesn't set the `SameSite` attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off; and/or if the user is visiting a malicious site with a very outdated browser.

SvelteKit 1.15.2 contains a patch for this issue. It is also recommended to explicitly set `SameSite` to a value other than `None` on authentication cookies especially if the upgrade cannot be done in a timely manner.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-29008
reference_id
reference_type
scores
0
value 0.00278
scoring_system epss
scoring_elements 0.51658
published_at 2026-06-14T12:55:00Z
1
value 0.00278
scoring_system epss
scoring_elements 0.51662
published_at 2026-06-12T12:55:00Z
2
value 0.00278
scoring_system epss
scoring_elements 0.51531
published_at 2026-06-11T12:55:00Z
3
value 0.00278
scoring_system epss
scoring_elements 0.51673
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-29008
1
reference_url https://github.com/sveltejs/kit
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sveltejs/kit
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-29008
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-29008
3
reference_url https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f
reference_id ba436c6685e751d968a960fbda65f24cf7a82e9f
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:26:20Z/
url https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f
4
reference_url https://github.com/advisories/GHSA-gv7g-x59x-wf8f
reference_id GHSA-gv7g-x59x-wf8f
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gv7g-x59x-wf8f
5
reference_url https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f
reference_id GHSA-gv7g-x59x-wf8f
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:26:20Z/
url https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f
fixed_packages
0
url pkg:npm/%40sveltejs/kit@1.15.2
purl pkg:npm/%40sveltejs/kit@1.15.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5q8f-ekd9-57fe
1
vulnerability VCID-epuv-msbd-u7g9
2
vulnerability VCID-px8a-8ars-83f9
3
vulnerability VCID-qv9g-usgy-5ycq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@1.15.2
aliases CVE-2023-29008, GHSA-gv7g-x59x-wf8f
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ykw8-33gd-t3f1
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@1.0.0-next.224