CRITICAL

CVE-2026-16117

CVSS v3

10

CRITICAL

EPSS Score

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the ups

Technical details

CVSS v3 Vector
3.1
Published
7/18/2026
Last Modified
7/18/2026

Frequently asked questions

What is CVE-2026-16117?

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the ups

Is CVE-2026-16117 actively exploited?

Active exploitation of CVE-2026-16117 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-16117?

CVE-2026-16117 has a CVSS v3 base score of 10 (CRITICAL severity), with vector string 3.1.

Is CVE-2026-16117 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.