CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-6322 – fast-uri vulnerable to host confusion via percent-encoded authority delimiters
https://notcve.org/view.php?id=CVE-2026-6322
05 May 2026 — fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authorit... • https://cna.openjsf.org/security-advisories.html • CWE-436: Interpretation Conflict •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-6321 – fast-uri vulnerable to path traversal via percent-encoded dot segments
https://notcve.org/view.php?id=CVE-2026-6321
04 May 2026 — fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 a... • https://cna.openjsf.org/security-advisories.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-33804 – @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
https://notcve.org/view.php?id=CVE-2026-33804
16 Apr 2026 — @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There ar... • https://cna.openjsf.org/security-advisories.html • CWE-436: Interpretation Conflict •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2026-6270 – @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
https://notcve.org/view.php?id=CVE-2026-6270
16 Apr 2026 — @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are... • https://cna.openjsf.org/security-advisories.html • CWE-436: Interpretation Conflict •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-57349
https://notcve.org/view.php?id=CVE-2025-57349
24 Sep 2025 — The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially ... • https://github.com/messageformat/messageformat/issues/452 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.8EPSS: 1%CPEs: 11EXPL: 1CVE-2022-24999 – express: "qs" prototype poisoning causes the hang of the node process
https://notcve.org/view.php?id=CVE-2022-24999
26 Nov 2022 — qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore ... • https://github.com/n8tz/CVE-2022-24999 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 5.4EPSS: 0%CPEs: 12EXPL: 1CVE-2020-4051 – XSS in Dijit Editor's LinkDialog plugin
https://notcve.org/view.php?id=CVE-2020-4051
15 Jun 2020 — In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3. En Dijit versiones anteriores a 1.1... • https://github.com/ossf-cve-benchmark/CVE-2020-4051 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 15EXPL: 0CVE-2014-6393
https://notcve.org/view.php?id=CVE-2014-6393
09 Aug 2017 — The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding. El framework web Express en versiones anteriores a la 3.11 y en versiones 4.x anteriores a la 4.5 para Node.js no proporciona un campo charset en los encabezados HTTP Content-Type en respuestas de nivel 400. Esto permitiría que ataca... • https://bugzilla.redhat.com/show_bug.cgi?id=1203190 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8856
https://notcve.org/view.php?id=CVE-2015-8856
23 Jan 2017 — Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name. Vulnerabilidad de XSS en el paquete serve-index en versiones anteriores a 1.6.3 para Node.js permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de archivo o directorio manipulado. • http://www.openwall.com/lists/oss-security/2016/04/20/11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •