Vulnerability Database

322,388

Total vulnerabilities in the database

CVE-2026-22803

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.

Published: Jan 15, 2026
Updated: Jan 22, 2026
CVE: CVE-2026-22803
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-789
CWE-770

Affected Software
References

Software	From	Fixed in
svelte / kit	2.49.0	2.49.5

https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5
https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1
https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo