Interpretation Conflict

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the propagation of middleware paths to child plugin scopes due to incorrect re-prefixing. An attacker can gain unauthorized access to protected routes by...

EUVD-2026-23241

@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes...

EUVD-2026-23235

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option...

GHSA-V9WW-2J6R-98Q6 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

Impact @fastify/middie v9.3.1 and earlier does not read the deprecated but still functional top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via...

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

Impact @fastify/middie v9.3.1 and earlier does not read the deprecated but still functional top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via...

CVE-2026-33804 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...

CVE-2026-33804

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...

CVE-2026-33804 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...

CVE-2026-6270

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...

CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...

PT-2026-33323

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.3.2 Description A middleware bypass exists when the deprecated ignoreDuplicateSlashes option is enabled. The middleware path matching logic fails to account for duplicate slash normalization performed by the...

PT-2026-33320

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.3.2 Description Inherited middleware is not registered directly on child plugin engine instances. When authentication middleware is registered in a parent scope and child plugins are registered with...

Kibana 9.3.3 Security Update (ESA-2026-28)

Server-Side Request Forgery SSRF in Kibana One Workflow Leading to Information Disclosure Server-Side Request Forgery CWE-918 in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in...

VulnCheck KEV: CVE-2020-5284

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory .next. This does not affect files outside of the dist directory .next. In general, the dist directory only holds build assets unless your applicatio...

CVE-2025-53574

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ptibogxiv Doliconnect doliconnect allows Reflected XSS.This issue affects Doliconnect: from n/a through = 9.3.2...

EUVD-2024-2673

Malicious code in bioql PyPI...

CVE-2025-21038

Improper verification of intent by SamsungExceptionalBroadcastReceiver in S Assistant prior to version 9.3.2 allows local attackers to modify itinerary information...

CVE-2025-21040

Improper verification of intent by ExternalBroadcastReceiver in S Assistant prior to version 9.3.2 allows local attackers to modify itinerary information...

CVE-2025-21040

Samsung S Assistant is affected by CVE-2025-21040 due to improper verification of intent in ExternalBroadcastReceiver. Versions before 9.3.2 allow local attackers to modify itinerary information. Affected software: S Assistant prior to 9.3.2. Root cause: insufficient validation of intent in the E...

PT-2025-35694

Name of the Vulnerable Software and Affected Versions: S Assistant versions prior to 9.3.2 Description: Improper verification of intent by ExternalBroadcastReceiver in S Assistant allows local attackers to modify itinerary information. Recommendations: Update S Assistant to version 9.3.2 or later...