Lucene search
K

71 matches found

NVD
NVD
added 5 days ago5 views

CVE-2026-53624

Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol for https instead of c.Scheme. This issue is fixe...

4.8CVSS0.00207EPSS
Exploits0References4
NVD
NVD
added 5 days ago5 views

CVE-2026-45045

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add instead of Header.Set when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream serve...

5.3CVSS0.00455EPSS
Exploits0References7
NVD
NVD
added 5 days ago5 views

CVE-2026-44332

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username...

5.3CVSS0.00516EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago42 views

CVE-2026-44332 Fiber: Username Enumeration via Timing Oracle in BasicAuth Default Authorizer

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username...

5.3CVSS0.00516EPSS
Exploits0References4
CVE
CVE
added 5 days ago22 views

CVE-2026-44332

Fiber’s Go-based web framework vulnerability CVE-2026-44332 affects the BasicAuth middleware’s default Authorizer prior to v3.3.0. The issue arises from short-circuit evaluation in the Authorizer: for non-existent usernames, the password hash check is skipped, enabling remote username enumeration...

5.3CVSS6AI score0.00516EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-53624 Fiber: HSTS header never set in helmet middleware due to incorrect protocol check

Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol for https instead of c.Scheme. This issue is fixe...

4.8CVSS0.00207EPSS
Exploits0References4
CVE
CVE
added 5 days ago8 views

CVE-2026-53624

CVE-2026-53624 (Fiber Go) : The helmet middleware fails to set the Strict-Transport-Security header before version 3.4.0 because it checks c.Protocol() for

4.8CVSS6AI score0.00207EPSS
Exploits0References4
NVD
NVD
added 2026/05/11 11:19 p.m.16 views

CVE-2026-42554

Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat feature. The...

6.1CVSS0.00212EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/11 9:47 p.m.41 views

CVE-2026-42554 Fiber: XSS in AutoFormat Content Negotiation

Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat feature. The...

5.3CVSS0.00212EPSS
Exploits1References1
CVE
CVE
added 2026/05/11 9:47 p.m.25 views

CVE-2026-42554

CVE-2026-42554 describes an XSS in Fiber’s AutoFormat content negotiation. Affected: GoFiber/v3 up to 3.1.0 and GoFiber/v2 up to 2.52.12. Root cause: the html branch of AutoFormat can emit raw, attacker-influenced data wrapped in HTML when the client sends Accept: text/html, enabling injection of...

6.1CVSS6AI score0.00212EPSS
Exploits1References1Affected Software1
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.11 views

Fiber 跨站脚本漏洞

Fiber is an open-source web framework written in Go. Versions of Fiber prior to 2.52.12 and 3.1.0 contain a cross-site scripting vulnerability. This vulnerability stems from cross-site scripting, allowing remote attackers to inject arbitrary HTML/JavaScript into any request by providing Accept:...

6.1CVSS5.8AI score0.00212EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/05 8:13 p.m.8 views

Cross-site Scripting (XSS)

Overview github.com/gofiber/fiber/v2 is an Express inspired web framework written in Go. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the AutoFormat process. An attacker can inject arbitrary HTML or JavaScript by supplying a crafted Accept: text/html header and...

6.1CVSS6AI score0.00212EPSS
Exploits1References2
NVD
NVD
added 2026/05/05 1:16 p.m.19 views

CVE-2026-30246

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

6.5CVSS0.00251EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/05/05 12:40 p.m.44 views

CVE-2026-30246 github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

6.5CVSS0.00251EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/05/05 12:40 p.m.7 views

CVE-2026-30246

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

6.5CVSS5.8AI score0.00251EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/05/05 12:40 p.m.8 views

EUVD-2026-27313

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

6.5CVSS5.8AI score0.00251EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.11 views

Fiber 安全漏洞

Fiber is an open-source web framework written in Go. Versions of Fiber 3.1.0 and earlier contain security vulnerabilities. These vulnerabilities stem from the default key generator used in the caching middleware, which only uses the request path without including the query string. As a result,...

6.5CVSS5.8AI score0.00251EPSS
Exploits1References1
Snyk
Snyk
added 2026/04/28 10:28 p.m.7 views

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to the default KeyGenerator process in the cache middleware not including query parameters when generating cache keys. An attacker can access or cause exposure of user-specific or...

6.9CVSS5.8AI score0.00251EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/28 10:28 p.m.14 views

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to the default KeyGenerator process in the cache middleware not including query parameters when generating cache keys. An attacker can access or cause exposure of user-specific or...

6.9CVSS5.8AI score0.00251EPSS
Exploits1References2
Circl
Circl
added 2026/04/25 1:8 p.m.13 views

CVE-2026-42554

creationtimestamp| type| source ---|---|--- 2026-04-25 13:08:32+00:00| published-proof-of-concept| https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv...

6.1CVSS5.8AI score0.00212EPSS
Exploits1References1
Rows per page
Query Builder