What is the CVSS score of CVE-2026-25882?

CVE-2026-25882 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Fiber are affected by CVE-2026-25882?

A denial of service vulnerability in Fiber web framework (v2 and v3) allows attackers to crash affected applications by sending specially crafted requests, potentially disrupting service…. A patch is available.

Is there a public PoC exploit available for CVE-2026-25882?

Yes, a public proof-of-concept exploit is available for CVE-2026-25882. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-25882?

Within 24 hours: Inventory all applications running Fiber v2 or v3 and assess exposure to untrusted internet traffic. Within 7 days: Apply the available vendor patch to all affected Fiber instances and thoroughly test in staging environments before production deployment. Within 30 days: Complete patch deployment across all production systems and validate no Fiber instances remain on vulnerable versions.

Fiber CVE-2026-25882

HIGH

Improper Validation of Array Index (CWE-129)

2026-02-24 security-advisories@github.com

GHSA-mrq8-rjmw-wpq3

Denial Of Service Fiber Suse

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 27, 2026 - 03:18 vuln.today

Public exploit code

Patch released

Feb 27, 2026 - 03:18 nvd

Patch available

CVE Published

Feb 24, 2026 - 21:16 nvd

HIGH 7.5

DescriptionGitHub Advisory

Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.

AnalysisAI

Fiber web framework versions 2 and 3 are vulnerable to denial of service attacks when processing requests to routes containing more than 30 parameters, enabling remote attackers to crash affected applications without authentication. The vulnerability stems from insufficient validation during route registration and unbounded array writes in request matching logic. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft HTTP request with 30+ route parameters

Exploit

Route handler processes unbounded array write

Execution

Application memory corruption occurs

Impact

Fiber service crashes

Access

Craft HTTP request with 30+ route parameters

Exploit

Route handler processes unbounded array write

Execution

Application memory corruption occurs

Impact

Fiber service crashes

Vulnerability AssessmentAI

Exploitation	Fiber v2 (before 2.52.12) or v3 (before 3.1.0) with routes accepting multiple parameters. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker could exploit this vulnerability to crash the application by sending requests to routes with more than 30 parameters.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications running Fiber v2 or v3 and assess exposure to untrusted internet traffic. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.5	Fixed

CVE-2026-25882 vulnerability details – vuln.today

Back

Fiber CVE-2026-25882

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code