What is the CVSS score of CVE-2026-27959?

CVE-2026-27959 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-27959?

Koa framework versions prior to 3.1.2 and 2.16.4 contain a hostname parsing vulnerability that could allow attackers to bypass security controls or manipulate application behavior through crafted…. A patch is available.

Is there a public PoC exploit available for CVE-2026-27959?

Yes, a public proof-of-concept exploit is available for CVE-2026-27959. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-27959?

Within 24 hours: Identify all applications using Koa and determine which versions are deployed. Within 7 days: Apply vendor patches to upgrade Koa to version 3.1.2 or 2.16.4 or later across all production and non-production environments. Within 30 days: Conduct application testing to validate patches and verify no regressions in Host header handling functionality.

Node.js CVE-2026-27959

HIGH

Improper Input Validation (CWE-20)

2026-02-26 security-advisories@github.com

GHSA-7gcc-r8m5-44qm

Node.js Koa Code Injection

7.5

CVSS 3.1 · Vendor: github

Severity by source

Vendor (github) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Red Hat

8.2 HIGH

qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 28, 2026 - 00:55 vuln.today

Public exploit code

Patch released

Feb 28, 2026 - 00:55 nvd

Patch available

CVE Published

Feb 26, 2026 - 02:16 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

5 npm packages depend on koa (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionCVE.org

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol is received, ctx.hostname returns evil[.]com - an attacker-controlled value. Applications using ctx.hostname for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.

AnalysisAI

Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft HTTP request with malformed Host header containing @ symbol

Exploit

ctx.hostname parser extracts attacker-controlled value

Execution

Inject malicious hostname into URL generation

Impact

Hijack password reset or verification links

Access

Craft HTTP request with malformed Host header containing @ symbol

Exploit

ctx.hostname parser extracts attacker-controlled value

Execution

Inject malicious hostname into URL generation

Impact

Hijack password reset or verification links

Vulnerability AssessmentAI

Exploitation	Application must use ctx.hostname API for URL generation, password reset links, email verification URLs, or routing decisions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications using Koa and determine which versions are deployed. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

CVE-2026-27959 vulnerability details – vuln.today

Back

Node.js CVE-2026-27959

Severity by source

CVSS VectorVendor: github

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code