CVE-2026-13676
- EPSS 0.27%
- Veröffentlicht 29.06.2026 13:22:44
- Zuletzt bearbeitet 02.07.2026 19:55:37
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Uni...
CVE-2026-6322
- EPSS 0.48%
- Veröffentlicht 05.05.2026 11:16:33
- Zuletzt bearbeitet 09.07.2026 13:17:30
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emi...
CVE-2026-6321
- EPSS 0.52%
- Veröffentlicht 04.05.2026 19:31:57
- Zuletzt bearbeitet 02.07.2026 12:17:43
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could co...