CVE-2026-2880 @fastify/middie has an improper path normalization vulnerability

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

CVE-2026-2880

Summary: CVE-2026-2880 concerns a path normalization issue in @fastify/middie (versions

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter...

Incorrect Authorization

Overview @nestjs/core is a Nest - modern, fast, powerful node.js web framework @core Affected versions of this package are vulnerable to Incorrect Authorization when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter are enabled. An attacke...

CVE-2026-2293

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13...

CVE-2026-2293

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13...

CVE-2026-2293

Summary: CVE-2026-2293 describes a bypass of authentication/authorization in NestJS apps using @nestjs/platform-fastify when Fastify path-normalization options are enabled. The root cause is a mismatch between middleware evaluation and route dispatch due to differing URL interpretations, allowing...

CVE-2026-2293

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13...

CVE-2026-2293 NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13...

CVE-2026-2293 NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13...

@fastify/middie 安全漏洞

@fastify/middie is an open-source middleware engine developed by Fastify. Versions of @fastify/middie prior to 9.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the possibility of bypassing the path range middleware when using router normalization options, which could...

nest 安全漏洞

nest is a Node.js framework developed by Nestjs, designed for building efficient, scalable, and enterprise-level server-side applications using TypeScript/JavaScript. Version 11.1.13 of nest contains a security vulnerability. This vulnerability arises from NestJS applications that utilize...

PT-2026-22377

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.2.0 Description A flaw exists in @fastify/middie that can lead to authentication or authorization bypass when path-scoped middleware is used, such as with app.use'/secret', auth. This occurs when Fastify...

PT-2026-22347

Name of the Vulnerable Software and Affected Versions Nest.js version 11.1.13 Description A NestJS application utilizing the @nestjs/platform-fastify package may experience a bypass of authentication and authorization middleware when Fastify path-normalization options are enabled. This can...

GO-2026-4538 Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2

Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2...

CVE-2026-27704 Dart SDK and Flutter SDK have Zip slip in Dart Pub package extraction

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client dart pub and flutter pub extracts a package in the pub cache, a malicious package archive can...

CVE-2026-27704 Dart SDK and Flutter SDK have Zip slip in Dart Pub package extraction

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client dart pub and flutter pub extracts a package in the pub cache, a malicious package archive can...

CVE-2026-27704 Dart SDK and Flutter SDK have Zip slip in Dart Pub package extraction

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client dart pub and flutter pub extracts a package in the pub cache, a malicious package archive can...

CVE-2026-27704

The CVE-2026-27704 issue affects the Dart SDKs and Flutter SDKs prior to versions 3.11.0 and 3.41.0, respectively. During package extraction in the pub cache (via dart pub and flutter pub), a malicious package archive could cause files to be written outside the destination directory due to a path...

PT-2026-21924

Name of the Vulnerable Software and Affected Versions Dart SDK versions prior to 3.11.0 Flutter SDK versions prior to 3.41.0 Description The Dart and Flutter SDKs are susceptible to a path traversal issue within the pub client dart pub and flutter pub when extracting package archives from the PUB...