THREAT OPS › Threat News › [NVD] CVE-2026-6321 (HIGH 7.5) — fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize
[NVD] CVE-2026-6321 (HIGH 7.5) — fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize
CVE-2026-6321 CVSS: 7.5 HIGH Published: 2026-05-04T20:16:20.950
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker
Indicators of compromise
- CVE-2026-6321cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-6321