CVE-2026-6410

medium Red Hat
CVSS v3 Base Score
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
Low
Integrity
None
Availability
None
Published: April 16, 2026 (27 days ago)
Last Modified: April 16, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in @fastify/static. When directory listing is enabled, a remote unauthenticated attacker can exploit a path traversal vulnerability. This occurs because the dirList.path() function incorrectly resolves directories outside the configured static root. Successful exploitation allows the attacker to obtain directory listings for arbitrary directories, leading to the disclosure of directory and file names.

CWE

CWE-22

Affected Products

Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenShift AI (RHOAI)Red Hat OpenShift Dev Spaces

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 cna.openjsf.org 🔗 github.com