The CVE record for CVE-2026-53624 was published on 2026-07-08T20:16:52.293Z. The NVD entry is currently MEDIUM. The vulnerability affects Fiber framework versions prior to 3.4.0, where the helmet middleware fails to set the Strict-Transport-Security response header. This issue has security implications for users of affected Fiber versions. Users of Fiber framework versions prior to 3.4.0 should review and [truncated]
CVE-2026-45045 is a MEDIUM severity vulnerability in Fiber's BalancerForward proxy helper. The issue arises from the use of Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers. This vulnerability is fixed in Fiber versions 3.3.0 and 2.52.14. Affected users should prioritize updating to these versions to miti [truncated]
CVE-2026-44332 is a vulnerability in the Fiber web framework's BasicAuth middleware. The default Authorizer function uses short-circuit evaluation, allowing for reliable remote username enumeration through response timing differences. This issue was fixed in version 3.3.0. Affected users should update to prevent potential username enumeration attacks.
A Cross-Site Scripting (XSS) vulnerability in the Go Fiber web framework allows remote attackers to inject arbitrary HTML/JavaScript by supplying an `Accept: text/html` header on requests whose handlers pass attacker-influenced data to the `AutoFormat()` feature. The vulnerability exists because `AutoFormat()` performs content negotiation based on the attacker-controlled `Accept` header, and when `text/ht [truncated]