Lucene search
K

4 matches found

RedhatCVE
RedhatCVE
added 2026/04/16 7:58 p.m.6 views

CVE-2026-6414

A flaw was found in @fastify/static. A remote attacker can exploit this vulnerability by sending specially crafted requests that include percent-encoded path separators. This mismatch in how @fastify/static decodes these separators compared to the Fastify router allows the attacker to bypass...

5.9CVSS5.7AI score0.00398EPSS
Exploits0References7
vulnersOsv
vulnersOsv
added 2026/04/16 1:9 p.m.7 views

@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +632 more potentially affected by CVE-2026-6414 via @fastify/static (>=8.0.0 <=9.1.0)

@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =4.76.1 - @akiojin/claude-worktree =1.33.0 and more Source cves: CVE-2026-6414 Source advisory: SNYK:JS-FASTIFYSTATIC-16098210...

5.9CVSS5.7AI score0.00398EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/04/16 1:9 p.m.4 views

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

5.9CVSS5.8AI score0.00398EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/16 1:9 p.m.33 views

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

5.9CVSS0.00398EPSS
Exploits0References4
Rows per page
Query Builder