Missing Release of Resource after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime in the makeMiddleware function, when dropping a connection during file upload. An attacker can cause resource exhaustion. Details Denial of Service DoS describes a family of attacks,...

Missing Release of Resource after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime in the makeMiddleware function, when dropping a connection during file upload. An attacker can cause resource exhaustion. Details Denial of Service DoS describes a family of attacks,...

CVE-2026-27792

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...

CVE-2026-2880

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

EUVD-2026-9049

@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware...

@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware

Summary A path normalization inconsistency in @fastify/middie can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and...

GHSA-8P85-9QPW-FWGW @fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware

Summary A path normalization inconsistency in @fastify/middie can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and...

CVE-2026-2880

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

CVE-2026-2880

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references. Original Description A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when...

CVE-2026-2880

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

CVE-2026-2880 @fastify/middie has an improper path normalization vulnerability

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

Incomplete Cleanup

Overview Affected versions of this package are vulnerable to Incomplete Cleanup in the makeMiddleware function in make-middleware.js. An attacker can cause resource exhaustion by sending malformed requests. Details Denial of Service DoS describes a family of attacks, all aimed at making a system...

Incomplete Cleanup

Overview Affected versions of this package are vulnerable to Incomplete Cleanup in the makeMiddleware function in make-middleware.js. An attacker can cause resource exhaustion by sending malformed requests. Details Denial of Service DoS describes a family of attacks, all aimed at making a system...

Multer 安全漏洞

Multer is an open-source middleware for Node.js developed by ExpressJS. Versions of Multer prior to 2.1.0 contained a security vulnerability, which was caused by improper handling of specially crafted requests, potentially leading to denial-of-service attacks...

PT-2026-22377

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.2.0 Description A flaw exists in @fastify/middie that can lead to authentication or authorization bypass when path-scoped middleware is used, such as with app.use'/secret', auth. This occurs when Fastify...

GO-2026-4540 Fiber has an Arbitrary File Read in Static Middleware on Windows in github.com/gofiber/fiber/v3

Fiber has an Arbitrary File Read in Static Middleware on Windows in github.com/gofiber/fiber/v3...

GO-2026-4502 Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5

Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5...

Remote Code Execution (RCE)

Overview @whyour/qinglong is a Timed task management platform supporting Python3, JavaScript, Shell, Typescript Affected versions of this package are vulnerable to Remote Code Execution RCE via the application's Express.js middleware that allows to rewrite /open/ to /api/$1 api interface. A remot...

GHSA-3534-XP88-25RC Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. Patches The fix adds CSRF middleware to the agent endpoi...