What is the CVSS score of EUVD-2026-27129?

EUVD-2026-27129 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of fast-uri are affected by EUVD-2026-27129?

CVE-2026-6321 affects fast-uri library versions 3.1.0 and earlier, enabling remote attackers to bypass path-based access controls through URL encoding manipulation.. A patch is available.

Is there a public PoC exploit available for EUVD-2026-27129?

Yes, a public proof-of-concept exploit is available for EUVD-2026-27129. Prioritise patching immediately. EPSS: 0.0%.

fast-uri EUVD-2026-27129

Q: How to fix or mitigate EUVD-2026-27129?

Within 24 hours: identify all applications and services using fast-uri library and document current versions. Within 7 days: upgrade fast-uri to version 3.1.1 or later across all affected systems; validate upgrade in non-production environments first. Within 30 days: conduct access control testing to verify path normalization bypass is eliminated; review authorization logs for suspicious path-traversal patterns in the preceding 90 days.

| CVE-2026-6321 HIGH

Path Traversal (CWE-22)

2026-05-04 openjs

GHSA-q3j6-qgpj-74h6

Path Traversal Red Hat Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 04, 2026 - 21:02 EUVD

Analysis Generated

May 04, 2026 - 20:31 vuln.today

DescriptionNVD

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.

AnalysisAI

Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. …

RemediationAI

Within 24 hours: identify all applications and services using fast-uri library and document current versions. Within 7 days: upgrade fast-uri to version 3.1.1 or later across all affected systems; validate upgrade in non-production environments first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory