CVE-2026-13676 fast-uri vulnerable to host confusion via failed IDN canonicalization

🗓️ 29 Jun 2026 13:22:44Reported by openjsType

CVE-2026-13676: fast-uri fails IDN host canonicalization, causing host confusion and policy bypass.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-13676	29 Jun 202613:22	–	attackerkb
Circl	CVE-2026-13676	29 Jun 202613:33	–	circl
CVE	CVE-2026-13676	29 Jun 202613:22	–	cve
EUVD	EUVD-2026-40093	29 Jun 202613:22	–	euvd
NVD	CVE-2026-13676	29 Jun 202614:16	–	nvd
Positive Technologies	PT-2026-53267	29 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-13676	29 Jun 202617:24	–	redhatcve
Vulnrichment	CVE-2026-13676 fast-uri vulnerable to host confusion via failed IDN canonicalization	29 Jun 202613:22	–	vulnrichment

[
  {
    "vendor": "fast-uri",
    "product": "fast-uri",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "status": "affected",
        "version": "4.0.0",
        "lessThan": "4.0.1"
      },
      {
        "versionType": "semver",
        "status": "unaffected",
        "version": "4.0.1"
      },
      {
        "versionType": "semver",
        "status": "affected",
        "version": "2.3.1",
        "lessThan": "3.1.3"
      },
      {
        "versionType": "semver",
        "status": "unaffected",
        "version": "3.1.3"
      }
    ],
    "packageURL": "pkg:npm/fast-uri"
  }
]

Source	Link
cna	www.cna.openjsf.org/security-advisories.html
github	www.github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6

29 Jun 2026 13:22Current

CVSS 3.17.5

CWE-436