@cmmn/tools (>=3.0.0-alpha-1 <=3.0.0-alpha-6), mikr0 (=0.1.10) potentially affected by CVE-2026-33807 via @fastify/express (>=4.0.1 <=4.0.2)

@fastify/express NPM version =4.0.1, =3.0.0-alpha-1, =3.0.0-alpha-6 - mikr0 =0.1.10 Source cves: CVE-2026-33807 Source advisory: SNYK:JS-FASTIFYEXPRESS-16068280...

CVE-2026-33807

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...