What is the CVSS score of EUVD-2026-27248?

EUVD-2026-27248 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of fast-uri are affected by EUVD-2026-27248?

CVE-2026-6322 affects the fast-uri JavaScript library and enables attackers to bypass URL validation controls by exploiting improper handling of percent-encoded characters, allowing redirect and…. A patch is available.

Is there a public PoC exploit available for EUVD-2026-27248?

Yes, a public proof-of-concept exploit is available for EUVD-2026-27248. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2026-27248?

Within 24 hours: Identify all applications and services using fast-uri library and document current versions in use. Within 7 days: Upgrade fast-uri to version 3.1.2 or later across all production systems; verify through dependency scanning tools (npm audit, Snyk, etc.). Within 30 days: Conduct security review of URL validation logic in applications that relied on fast-uri for allowlist or redirect enforcement; implement compensating controls if legacy systems cannot be upgraded immediately.

fast-uri EUVD-2026-27248

| CVE-2026-6322 HIGH

Interpretation Conflict (CWE-436)

2026-05-05 openjs

GHSA-v39h-62p7-jpjc

Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 05, 2026 - 12:01 EUVD

Analysis Generated

May 05, 2026 - 11:15 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

198,388 npm packages depend on fast-uri (2,437 direct, 195,978 indirect)

Ecosystem-wide dependent count for version 3.1.2.

DescriptionNVD

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

AnalysisAI

Authority confusion in fast-uri JavaScript library allows remote attackers to bypass URL validation security controls. The normalize() function improperly decodes percent-encoded at-signs (%40) in hostnames, then re-serializes them as raw userinfo delimiters, causing URLs like 'http://trusted.com%40evil.com' to resolve to 'evil.com' instead of 'trusted.com'. …

RemediationAI

Within 24 hours: Identify all applications and services using fast-uri library and document current versions in use. Within 7 days: Upgrade fast-uri to version 3.1.2 or later across all production systems; verify through dependency scanning tools (npm audit, Snyk, etc.). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-27248 vulnerability details – vuln.today

Back

fast-uri EUVD-2026-27248

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code