PatchSiren

hapijs CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM hapijs CVE published 2026-07-17

CVE-2026-48049

CVE-2026-48049 is a medium-severity vulnerability in @hapi/inert, a static file and directory handler for hapi.js. The vulnerability allows unauthenticated remote attackers to read files via a directory traversal attack. The issue arises from a flawed confinement check that compares the resolved absolute path against the confine directory using a raw string-prefix test. This allows an attacker to access f [truncated]

MEDIUM hapijs CVE published 2026-07-17

CVE-2026-48022

CVE-2026-48022 is a MEDIUM severity vulnerability in @hapi/wreck, an HTTP client utility. The issue allows credentials to be forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, enabling a co-tenant on an adjacent port or a network-position attacker to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue i [truncated]

MEDIUM hapijs CVE published 2026-07-17

CVE-2026-44979

CVE-2026-44979 is a MEDIUM severity vulnerability in @hapi/wreck, an HTTP client utility. Prior to version 18.1.1, the library improperly handles 3xx redirects, potentially exposing forward-proxy credentials to a host outside the original trust boundary when redirects are enabled. This issue arises because @hapi/wreck only strips the Authorization and Cookie headers during redirects, but not the Proxy-Aut [truncated]

HIGH hapijs CVE published 2026-07-17

CVE-2026-44974

CVE-2026-44974 is a HIGH severity vulnerability in @hapi/content. Prior to version 6.0.2, the Content.disposition() function retained the last occurrence of each duplicate parameter, while Content.type() retained the first occurrence of duplicate charset and boundary parameters. This inconsistency creates a parameter-smuggling primitive when another component in the request-processing chain resolves dupli [truncated]