3 matches found
@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +632 more potentially affected by CVE-2026-6414 via @fastify/static (>=8.0.0 <=9.1.0)
@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =4.76.1 - @akiojin/claude-worktree =1.33.0 and more Source cves: CVE-2026-6414 Source advisory: OSV:GHSA-X428-GHPX-8J92...
CVE-2026-6414
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...
CVE-2026-6414
creationtimestamp| type| source ---|---|--- 2026-04-16 13:15:27+00:00| seen| https://bsky.app/profile/ulisesgascon.com/post/3mjmik2cvw22a 2026-04-16 13:36:32+00:00| seen| https://bsky.app/profile/ulisesgascon.com/post/3mjmjpo4gfc2n 2026-04-16 14:58:59+00:00| seen|...