CVE-2026-6322
CVE-2026-6322 affects the fast-uri package. The vuln lies in normalize(): it decodes percent-encoded authority delimiters inside the host and then re-emits them as raw delimiters during serialization. This can cause a host, which combines an allowed domain, an encoded at-sign, and a different dom...