CVE-2026-14198
The CVE-2026-14198 entry concerns @fastify/middie versions 9.1.0–9.3.2, where encoded slashes (%2F) in path parameter values are decoded by middie but not by Fastify’s router during route lookup. This mismatch lets a crafted URL bypass middleware-based security (authentication/authorization/rate ...