HIGH🇵🇱 Wersja polska

CVE-2026-6322

CVSS 7.5v3.1pub. 2026-05-05upd. 2026-07-03

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Openjsf Fast Uri

    APP
    Openjsf
    < 3.1.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-13676HIGH7.5ten sam produkt

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family U...

CVE-2026-6321HIGH7.5ten sam produkt

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its n...

CVE-2026-25244CRITICAL9.8PL ✓ten sam vendor

WebdriverIO: command injection w orkiestracji testów prowadzący do RCE

CVE-2026-10796HIGH7.5ten sam vendor

nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the con...

CVE-2025-57349HIGH7.5ten sam vendor

The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is v...