saving people a click:

CVE-2026-22775: DoS in devalue.parse due to memory/CPU exhaustion

> Effects: A malicious payload can cause arbitrarily large memory allocation, potentially crashing the process. SvelteKit applications using remote functions are vulnerable, as the parameters are run through devalue.parse If you don’t have remote functions enabled, SvelteKit is not vulnerable

CVE-2026-22774: DoS in devalue.parse due to memory exhaustion (Yes, this is very similar to the previous CVE. No, it is not the same!)

> Effects: A malicious payload can cause arbitrarily large memory allocation, potentially crashing the process SvelteKit applications using remote functions are vulnerable, as the parameters are run through devalue.parse If you don’t have remote functions enabled, SvelteKit is not vulnerable

CVE-2026-22803: Memory amplification DoS in Remote Functions binary form deserializer

> Effects: Users can submit a malicious request that causes your application to hang and allocate arbitrarily-large amounts of memory

CVE-2025-67647: Denial of service and possible SSRF when using prerendering

> Effects: DoS causes the server process to die SSRF allows access to internal resources that can be reached without authentication from SvelteKit’s server runtime If the stars align, it’s possible to obtain SXSS via cache poisoning by forcing a potential CDN to cache an XSS returned by the attacker’s server (the latter being able to specify the cache-control of their choice)

CVE-2025-15265: XSS via hydratable

> Effects: Your users are vulnerable to XSS if an attacker can manage to get a controlled key into hydratable that is then returned to another user

That said, I’m not surprised to see a list of CVEs impacting devalue. After running into some (seemingly arbitrary) limitations, I skimmed the code and it definitely felt like there was some sketchiness to it, given how it handles user inputs. If I were nefarious or a security researcher it would definitely be a focal point for me.