Fastify Fastify/express — known CVE vulnerabilities
Every CVE whose affected-product data names Fastify Fastify/express, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (3)
CVE-2026-33807 — CVSS 9.1 (critical): @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when…
CVE-2026-33808 — CVSS 9.1 (critical): Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router…
CVE-2026-6556 — CVSS 9.1 (critical): @fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string…