EXECUTIVE SUMMARY:
The vulnerability CVE-2026-27118 affects the @sveltejs/adapter-vercel package and carries a CVSS score of 5.3 indicating moderate severity. Versions prior to 6.3.2 are exposed to a cache poisoning weakness caused by improper exposure of an internal query parameter used for Incremental Static Regeneration across application routes. This behavior enables an attacker to manipulate caching logic so that sensitive user specific responses become stored and later served to other users creating a risk of unintended data disclosure. Successful exploitation requires social interaction where an authenticated victim must access an attacker-controlled link which then triggers the caching of personalized content. The flaw is particularly impactful for applications relying on shared caching and dynamic rendering because it breaks expected isolation between user sessions and cached responses. The issue has been resolved in version 6.3.2 which prevents misuse of the internal parameter and restores proper cache boundaries. Although some deployments may receive partial protection through filtering mechanisms the vulnerability still represents a realistic privacy and data exposure concern if older versions remain in use.
RECOMMENDATION:
We strongly recommend update sveltejs/adapter-vercel (npm package) to version 6.3.2.
REFERENCES:
The following reports contain further technical details: