What is the CVSS score of CVE-2026-22037?

CVE-2026-22037 has a CVSS 3.1 base score of 8.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-22037?

CVE-2026-22037 presents notable security risk rated CVSS 8.4. Successful exploitation could significantly impact the confidentiality, integrity, or availability of affected systems.. A patch is available.

Node.js CVE-2026-22037

HIGH

Improper Handling of URL Encoding (Hex Encoding) (CWE-177)

2026-01-19 security-advisories@github.com

GHSA-g6q3-96cp-5r5m

Node.js

8.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 19, 2026 - 17:15 nvd

HIGH 8.4

DescriptionNVD

The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.

AnalysisAI

The @fastify/express plugin prior to version 4.0.3 allows authenticated attackers to bypass path-based middleware restrictions by submitting URL-encoded characters in requests, such as using /%61dmin instead of /admin. While the middleware engine fails to match the encoded path, the underlying Fastify router correctly decodes it and routes the request to handlers, enabling unauthorized access to protected endpoints. …

RemediationAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-22037 vulnerability details – vuln.today

Back

Node.js CVE-2026-22037

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code