{"url":"http://public2.vulnerablecode.io/api/packages/764594?format=json","purl":"pkg:npm/%40sveltejs/kit@2.8.1","type":"npm","namespace":"@sveltejs","name":"kit","version":"2.8.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.57.1","latest_non_vulnerable_version":"2.60.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44725?format=json","vulnerability_id":"VCID-5q8f-ekd9-57fe","summary":"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. \"Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).\" The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact. The Vite development is not exposed to the network by default and even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data. None the less this issue has been addressed in version 2.8.3 and all users are advised to upgrade.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53261","reference_id":"","reference_type":"","scores":[{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.4836","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48363","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48378","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48223","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53261"},{"reference_url":"https://github.com/sveltejs/kit","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit"},{"reference_url":"https://github.com/sveltejs/kit/pull/13039","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit/pull/13039"},{"reference_url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53261","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53261"},{"reference_url":"https://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438","reference_id":"d338d4635a7fd947ba5112df6ee632c4a0979438","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:01:35Z/"}],"url":"https://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438"},{"reference_url":"https://github.com/advisories/GHSA-rjjv-87mx-6x3h","reference_id":"GHSA-rjjv-87mx-6x3h","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rjjv-87mx-6x3h"},{"reference_url":"https://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h","reference_id":"GHSA-rjjv-87mx-6x3h","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:01:35Z/"}],"url":"https://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372785?format=json","purl":"pkg:npm/%40sveltejs/kit@2.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-epuv-msbd-u7g9"},{"vulnerability":"VCID-px8a-8ars-83f9"},{"vulnerability":"VCID-zxhq-skg2-muaq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.8.3"}],"aliases":["CVE-2024-53261","GHSA-rjjv-87mx-6x3h"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5q8f-ekd9-57fe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84355?format=json","vulnerability_id":"VCID-epuv-msbd-u7g9","summary":"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40073","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25599","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25813","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25797","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40073"},{"reference_url":"https://github.com/sveltejs/kit","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit"},{"reference_url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40073","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40073"},{"reference_url":"https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95","reference_id":"3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:04:15Z/"}],"url":"https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"},{"reference_url":"https://github.com/advisories/GHSA-2crg-3p73-43xp","reference_id":"GHSA-2crg-3p73-43xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2crg-3p73-43xp"},{"reference_url":"https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp","reference_id":"GHSA-2crg-3p73-43xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:04:15Z/"}],"url":"https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"},{"reference_url":"https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1","reference_id":"kit@2.57.1","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:04:15Z/"}],"url":"https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373309?format=json","purl":"pkg:npm/%40sveltejs/kit@2.57.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.57.1"}],"aliases":["CVE-2026-40073","GHSA-2crg-3p73-43xp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-epuv-msbd-u7g9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84155?format=json","vulnerability_id":"VCID-px8a-8ars-83f9","summary":"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40074","reference_id":"","reference_type":"","scores":[{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18318","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18158","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18343","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.1832","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40074"},{"reference_url":"https://github.com/sveltejs/kit","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit"},{"reference_url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40074","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40074"},{"reference_url":"https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd","reference_id":"10d7b44425c3d9da642eecce373d0c6ef83b4fcd","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:17:18Z/"}],"url":"https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"},{"reference_url":"https://github.com/advisories/GHSA-3f6h-2hrp-w5wx","reference_id":"GHSA-3f6h-2hrp-w5wx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f6h-2hrp-w5wx"},{"reference_url":"https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx","reference_id":"GHSA-3f6h-2hrp-w5wx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:17:18Z/"}],"url":"https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"},{"reference_url":"https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1","reference_id":"kit@2.57.1","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:17:18Z/"}],"url":"https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373309?format=json","purl":"pkg:npm/%40sveltejs/kit@2.57.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.57.1"}],"aliases":["CVE-2026-40074","GHSA-3f6h-2hrp-w5wx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-px8a-8ars-83f9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44435?format=json","vulnerability_id":"VCID-qv9g-usgy-5ycq","summary":"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message.  This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53262","reference_id":"","reference_type":"","scores":[{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41139","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41315","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41325","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41306","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53262"},{"reference_url":"https://github.com/sveltejs/kit","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit"},{"reference_url":"https://github.com/sveltejs/kit/pull/13050","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit/pull/13050"},{"reference_url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53262","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53262"},{"reference_url":"https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794","reference_id":"134e36343ef57ed7e6e2b3bb9e7f05ad37865794","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:23:50Z/"}],"url":"https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794"},{"reference_url":"https://kit.svelte.dev/docs/errors","reference_id":"errors","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:23:50Z/"}],"url":"https://kit.svelte.dev/docs/errors"},{"reference_url":"https://github.com/advisories/GHSA-mh2x-fcqh-fmqv","reference_id":"GHSA-mh2x-fcqh-fmqv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mh2x-fcqh-fmqv"},{"reference_url":"https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv","reference_id":"GHSA-mh2x-fcqh-fmqv","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T20:23:50Z/"}],"url":"https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372785?format=json","purl":"pkg:npm/%40sveltejs/kit@2.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-epuv-msbd-u7g9"},{"vulnerability":"VCID-px8a-8ars-83f9"},{"vulnerability":"VCID-zxhq-skg2-muaq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.8.3"}],"aliases":["CVE-2024-53262","GHSA-mh2x-fcqh-fmqv"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qv9g-usgy-5ycq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/114812?format=json","vulnerability_id":"VCID-zxhq-skg2-muaq","summary":"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32388","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51133","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51265","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51264","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51277","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32388"},{"reference_url":"https://github.com/sveltejs/kit","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sveltejs/kit"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32388","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32388"},{"reference_url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6","reference_id":"%40sveltejs%2Fkit%402.20.6","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T13:33:24Z/"}],"url":"https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6"},{"reference_url":"https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf","reference_id":"d3300c6a67908590266c363dba7b0835d9a194cf","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T13:33:24Z/"}],"url":"https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf"},{"reference_url":"https://github.com/advisories/GHSA-6q87-84jw-cjhp","reference_id":"GHSA-6q87-84jw-cjhp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6q87-84jw-cjhp"},{"reference_url":"https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp","reference_id":"GHSA-6q87-84jw-cjhp","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T13:33:24Z/"}],"url":"https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376313?format=json","purl":"pkg:npm/%40sveltejs/kit@2.20.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-epuv-msbd-u7g9"},{"vulnerability":"VCID-px8a-8ars-83f9"},{"vulnerability":"VCID-xe5v-xxrc-auan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.20.6"}],"aliases":["CVE-2025-32388","GHSA-6q87-84jw-cjhp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zxhq-skg2-muaq"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540sveltejs/kit@2.8.1"}