PatchSiren

gofiber CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM gofiber CVE published 2026-07-08

CVE-2026-53624

The CVE record for CVE-2026-53624 was published on 2026-07-08T20:16:52.293Z. The NVD entry is currently MEDIUM. The vulnerability affects Fiber framework versions prior to 3.4.0, where the helmet middleware fails to set the Strict-Transport-Security response header. This issue has security implications for users of affected Fiber versions. Users of Fiber framework versions prior to 3.4.0 should review and [truncated]

MEDIUM gofiber CVE published 2026-07-08

CVE-2026-45045

CVE-2026-45045 is a MEDIUM severity vulnerability in Fiber's BalancerForward proxy helper. The issue arises from the use of Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers. This vulnerability is fixed in Fiber versions 3.3.0 and 2.52.14. Affected users should prioritize updating to these versions to miti [truncated]

MEDIUM gofiber CVE published 2026-07-08

CVE-2026-44332

CVE-2026-44332 is a vulnerability in the Fiber web framework's BasicAuth middleware. The default Authorizer function uses short-circuit evaluation, allowing for reliable remote username enumeration through response timing differences. This issue was fixed in version 3.3.0. Affected users should update to prevent potential username enumeration attacks.

MEDIUM Gofiber CVE published 2026-05-11

CVE-2026-42554

A Cross-Site Scripting (XSS) vulnerability in the Go Fiber web framework allows remote attackers to inject arbitrary HTML/JavaScript by supplying an `Accept: text/html` header on requests whose handlers pass attacker-influenced data to the `AutoFormat()` feature. The vulnerability exists because `AutoFormat()` performs content negotiation based on the attacker-controlled `Accept` header, and when `text/ht [truncated]