CVE-2026-33806

Published: Apr 15, 2026 Last Modified: Apr 15, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,5

Source: ce714d77-add3-4f53-aff5-83d477b104bb

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: high

Availability: none

Description

AI Translation Available

Impact:

Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.

This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442

Patches:

Upgrade to fastify v5.8.5 or later.

Workarounds:

None. Upgrade to the patched version.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0004

Percentile

0,1th

Updated

EPSS Score Trend (Last 2 Days)

1287

Improper Validation of Specified Type of Input

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Other

Potential Impacts:

Varies By Context

Applicable Platforms

All platforms may be affected

View CWE Details

https://cna.openjsf.org/security-advisories.html

https://github.com/fastify/fastify/security/advisories/GHSA…

https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc

CVE-2026-33806

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 2 Days)

Improper Validation of Specified Type of Input

Common Consequences

Applicable Platforms

Iscriviti alla newsletter