This page collects WhisperX intelligence signals tagged #web-framework. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security flaw in the popular Fastify web framework allows attackers to spoof protocol and host information, even when restrictive proxy trust settings are in place. The vulnerability, tracked as CVE-2026-3635, stems from a logic error where the `request.protocol` and `request.host` getters incorrectly read `...
A critical security vulnerability has been disclosed in the Hono web framework, allowing attackers to bypass configured request body size limits. The flaw, tracked as CVE-2025-59139 and GHSA-92vj-g62v-jqhh, resides in the framework's `bodyLimit` middleware. This bypass could enable malicious actors to send oversized pa...
A critical security flaw in the widely-used Fastify Node.js web framework allows attackers to completely bypass request body validation. The vulnerability, tracked as CVE-2026-25223, stems from a parsing error where appending a tab character (`\t`) and arbitrary content to the `Content-Type` header can circumvent valid...
A critical security vulnerability has been identified in the Express.js view rendering system. The `View.prototype.lookup()` function lacks a fundamental path containment check, exposing applications that pass user input to `res.render()` to path traversal attacks. Unlike the protected `res.sendFile()` method, which us...
A critical security vulnerability in the widely-used Flask web framework exposes applications to potential cache poisoning attacks. The flaw, tracked as CVE-2026-27205, stems from the framework's failure to properly set the `Vary: Cookie` HTTP header in all scenarios when a user's session object is accessed. This omiss...
A critical-severity denial-of-service vulnerability in Ruby on Rails' Action View component allows attackers to cripple servers with a single, specially crafted HTTP request. The flaw, present in all Rails applications that render views, enables malicious accept headers to trigger runaway CPU consumption, pegging it at...
A critical path traversal vulnerability has been disclosed in the popular Hono web framework, exposing systems to potential file system compromise during static site generation. The flaw, tracked as CVE-2026-39408, resides in the `toSSG()` function. It allows specially crafted dynamic route parameters to manipulate gen...
A critical security vulnerability has been patched in the popular Hono web framework, exposing applications using its `basicAuth` and `bearerAuth` middlewares to potential timing attacks. The flaw, tracked as GHSA-gq3j-xvxp-8hrf, resided in the authentication logic's comparison function, which was not fully timing-safe...
A critical security flaw in the popular Hono.js web framework allows attackers to write files outside the intended directory during static site generation. The vulnerability, tracked as CVE-2026-39408, resides in the `toSSG()` function. When developers use dynamic route parameters via `ssgParams`, an attacker can craft...
A critical security vulnerability has been disclosed in the popular Hono.js web framework, exposing a path traversal flaw during static site generation. The issue, tracked as CVE-2026-39408, resides within the `toSSG()` function and could allow files to be written outside the configured output directory when using dyna...
A critical path traversal vulnerability in the Hono.js web framework's static site generation function, `toSSG()`, has been disclosed. The flaw, tracked as CVE-2026-39408, allows attackers to write files outside the configured output directory. This occurs when using dynamic route parameters via `ssgParams`; specially ...
A critical security flaw in the widely-used Fastify Node.js web framework allows attackers to completely bypass request body validation. The vulnerability, tracked as CVE-2026-25223, resides in the framework's content-type parsing logic. By simply appending a tab character (`\t`) followed by arbitrary content to a requ...
A critical path traversal vulnerability in the popular Hono web framework has been disclosed, exposing a direct risk to the integrity of static site generation processes. The flaw, tracked as CVE-2026-39408, resides within the `toSSG()` function. It allows attackers to write files outside the configured output director...
A critical security vulnerability in the popular Hono web framework has been patched, exposing projects to potential file system compromise during static site generation. The flaw, tracked as CVE-2026-39408, is a path traversal issue within the `toSSG()` function. It allows specially crafted dynamic route parameters to...
A critical vulnerability in Next.js versions 15.4.1 through 15.4.8 allows unauthenticated attackers to execute arbitrary code on affected servers. The flaw resides in the React Server Components (RSC) payload decoding mechanism, enabling remote code execution (RCE) through specially crafted HTTP requests. Crucially, ex...
A critical vulnerability in the Tornado web framework's multipart data parser has been patched, exposing countless Python web applications to a potent denial-of-service (DoS) attack vector. The flaw, tracked as CVE-2025-47287, allows remote attackers to trigger an extremely high volume of synchronous log messages, pote...
A critical security update has been released for the Hono web framework, addressing a timing attack vulnerability in its core authentication middleware. The flaw, tracked as GHSA-gq3j-xvxp-8hrf, was present in the `basicAuth` and `bearerAuth` components, where the `timingSafeEqual` function was using standard string eq...
A critical path traversal vulnerability in the Hono.js web framework's static site generation function, `toSSG()`, allows attackers to write files outside the configured output directory. The flaw, tracked as CVE-2026-39408, is triggered when using dynamic route parameters via `ssgParams`. An attacker can craft malicio...
A critical security vulnerability in the popular Hono.js web framework exposes applications to server-side HTML injection attacks. The flaw, tracked as GHSA-458j-xx4x-4375, resides in the framework's JSX/dom component, where improper handling of JSX attribute names can corrupt generated HTML. This creates a direct path...
A critical security vulnerability in the popular Hono.js web framework exposes applications to server-side HTML injection attacks. The flaw, tracked as GHSA-458j-xx4x-4375, resides in the framework's JSX rendering engine. Improper handling of JSX attribute names allows malformed attribute keys to corrupt the generated ...