CVE-2026-6322

fast-uri normalize decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator...

PT-2026-36996

Name of the Vulnerable Software and Affected Versions fast-uri versions prior to 3.1.2 Description The normalize function decoded percent-encoded authority delimiters within the host component and re-emitted them as raw delimiters during serialization. This allows a host combining an allowed...

Directory Traversal

Overview fast-uri is a Dependency-free RFC 3986 URI toolbox Affected versions of this package are vulnerable to Directory Traversal via the normalize or equal functions. An attacker can bypass path-based access controls by submitting specially crafted percent-encoded or dot segments in URLs,...

CVE-2026-6321 fast-uri vulnerable to path traversal via percent-encoded dot segments

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize and equal functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications...

Glances has SQL Injection via Process Names in TimescaleDB Export

Summary The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as...