npm/devalue — 5 CVEs

HIGH7.5CVE-2026-42570Svelte devalue: DoS via sparse array deserialization

>= 5.6.3, < 5.8.1

HIGH7.5CVE-2026-22775devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse

>= 5.1.0, < 5.6.2

HIGH7.5CVE-2026-22774Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse

>= 5.3.0, < 5.6.2

—CVE-2026-30226devalue has prototype pollution in devalue.parse and devalue.unflatten

from 0, < 5.6.4

—devalue prototype pollution vulnerability

from 0, < 5.3.2

pkg:npm/devalue