Lucene search
K

651 matches found

CVE
CVE
added 2026/04/15 9:29 a.m.22 views

CVE-2026-33808

CVE-2026-33808 affects fastify/express. Root cause: @fastify/express v4.0.4 and earlier fail to normalize URLs before passing to Express middleware when Fastify router normalization is enabled, allowing bypass of path-scoped authentication via duplicate slashes or semicolon delimiters. Outcome: a...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/15 9:29 a.m.5 views

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References2
NVD
NVD
added 2026/04/15 4:17 a.m.6 views

CVE-2026-33806

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...

7.5CVSS0.00408EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/15 2:9 a.m.5 views

Improper Validation of Specified Type of Input

Overview fastify is an overhead web framework, for Node.js. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the schema.body.content when a space is prepended to the Content-Type header. An attacker can bypass input validation by sending...

8.7CVSS5.7AI score0.00408EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/15 2:9 a.m.7 views

0uth (>=1.0.5 <=1.2.1), @___d/common (>=1.0.3 <=1.0.27) +2466 more potentially affected by CVE-2026-33806 via fastify (>=4.29.0 <=5.8.4)

fastify NPM version =4.29.0, =1.0.5, =1.0.3, =0.0.3, =1.0.0, =3.0.0, =0.1.0, =0.0.1, =0.1.0, =2.0.0, =1.0.1, =1.6.2, =1.0.3, =0.3.3, =0.7.3 and more Source cves: CVE-2026-33806 Source advisory: SNYK:JS-FASTIFY-16066793...

7.5CVSS5.7AI score0.00408EPSS
Exploits0
Cvelist
Cvelist
added 2026/04/15 12:14 a.m.38 views

CVE-2026-33806 fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...

7.5CVSS0.00408EPSS
Exploits0References2
CVE
CVE
added 2026/04/15 12:14 a.m.27 views

CVE-2026-33806

Summary: CVE-2026-33806 affects Fastify where, in applications using schema.body.content, a leading space in the Content-Type header can bypass per-content-type body validation while the body is parsed normally. This is a regression introduced in Fastify &gt;= 5.3.2 as a follow-up to CVE-2025-324...

7.5CVSS7.1AI score0.00408EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/15 12:14 a.m.3 views

CVE-2026-33806 fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...

7.5CVSS5.8AI score0.00408EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/15 12:14 a.m.7 views

CVE-2026-33806

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...

7.5CVSS7.1AI score0.00686EPSS
Exploits1References3Affected Software1
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.9 views

fastify/reply-from和fastify/http-proxy 安全漏洞

fastify/reply-from and fastify/http-proxy are both products from the Fastify open-source project. fastify/reply-from is a plugin designed to forward incoming HTTP requests to another server. fastify/http-proxy is a full-featured HTTP proxy plugin that supports proxying WebSocket connections and...

9CVSS5.8AI score0.00441EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.12 views

Fastify 安全漏洞

Fastify is an open-source web framework developed by Fastify. Versions of Fastify prior to 5.8.5 contained security vulnerabilities. These vulnerabilities stemmed from the use of schema.body.content for content-type-based validation. By adding a space before the Content-Type header, the validatio...

7.5CVSS5.8AI score0.00408EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.9 views

@fastify/express 安全漏洞

@fastify/express is a compatibility plugin developed by Fastify. Versions of @fastify/express 4.0.4 and earlier contain security vulnerabilities. These vulnerabilities arise from failing to normalize URLs before passing them to Express middleware when the Fastify router normalization option is...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.10 views

@fastify/express 安全漏洞

@fastify/express is a compatibility plugin developed by Fastify. Versions of @fastify/express 4.0.4 and earlier contain security vulnerabilities. These vulnerabilities stem from errors in path handling within the onRegister function, which cause the middleware paths to be added repeatedly when...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.13 views

PT-2026-33035

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated...

10CVSS5.2AI score0.00483EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.6 views

PT-2026-33000

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...

7.5CVSS5.8AI score0.00686EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/02 10:55 p.m.4 views

CVE-2026-34076

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...

7.4CVSS5.8AI score0.00309EPSS
Exploits0References1
NVD
NVD
added 2026/04/01 6:16 p.m.8 views

CVE-2026-34076

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...

7.4CVSS0.00309EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/01 4:59 p.m.4 views

CVE-2026-34076

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...

7.4CVSS5.8AI score0.00309EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/01 4:59 p.m.3 views

CVE-2026-34076 Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...

7.4CVSS5.8AI score0.00309EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/01 4:59 p.m.29 views

CVE-2026-34076 Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...

7.4CVSS0.00309EPSS
Exploits0References1
Rows per page
Query Builder