Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-6414 is a low severity vulnerability with a CVSS score of 0.0. No known public exploits at this time.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
@fastify/static v9.1.0 and earlier decodes percent-encoded path separators (%2F) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/* do not match /admin%2Fsecret.html, but @fastify/static decodes it to /admin/secret.html and serves the file.
Applications that rely on route-based middleware or guards to protect files served by @fastify/static can be bypassed with encoded path separators.
Upgrade to @fastify/static >= 9.1.1.
None. Upgrade to the patched version.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.