Lucene search
+L

6 matches found

NVD
NVD
added yesterday9 views

CVE-2026-16117

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string...

10CVSS
Exploits0References2
NVD
NVD
added yesterday7 views

CVE-2026-15631

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which...

8.7CVSS
Exploits0References2
CVE
CVE
added yesterday7 views

CVE-2026-16117

The CVE concerns @fastify/http-proxy (affected: up to 11.5.0) where URL prefix rewriting fails when the prefix segment is URL-encoded. Fastify decodes paths for route matching, but request.url keeps the original encoded form. The prefixRewrite step compares against the decoded prefix using a lite...

10CVSS5.3AI score
Exploits0References2
CVE
CVE
added yesterday9 views

CVE-2026-15631

The CVE affects the Node.js package @fastify/http-proxy, versions 9.4.0 through 11.5.0. A WebSocket routing flaw in WebSocketProxy.findUpstream lets the WHATWG URL constructor collapse dot segments, causing crafted upgrade requests with path traversal to bypass the configured rewrite prefix and r...

8.7CVSS5.5AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-15631

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which...

8.7CVSS5.4AI score
Exploits0References3Affected Software1
EUVD
EUVD
added yesterday4 views

EUVD-2026-45375

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which...

8.7CVSS5.5AI score
Exploits0References2
Rows per page
Query Builder