VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-qq94-5gw2-qyd6

Essentials
Severities (19)
References (11)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-qq94-5gw2-qyd6
Aliases	CVE-2026-27959 GHSA-7gcc-r8m5-44qm
Summary	Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-20	Improper Input Validation
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2026-27959
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2026-27959
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2026-27959
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-7gcc-r8m5-44qm
cvssv3.1	7.5	https://github.com/koajs/koa
generic_textual	HIGH	https://github.com/koajs/koa
cvssv3.1	7.5	https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df
generic_textual	HIGH	https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df
ssvc	Track	https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df
cvssv3.1	7.5	https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb
generic_textual	HIGH	https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb
ssvc	Track	https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb
cvssv3.1	7.5	https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm
cvssv3.1_qr	HIGH	https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm
generic_textual	HIGH	https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm
ssvc	Track	https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2026-27959
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-27959

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-27959
		https://github.com/koajs/koa
2442928		https://bugzilla.redhat.com/show_bug.cgi?id=2442928
55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df		https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df
b76ddc01fdb703e51652b0fd131d16394cadcfeb		https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb
CVE-2026-27959		https://nvd.nist.gov/vuln/detail/CVE-2026-27959
GHSA-7gcc-r8m5-44qm		https://github.com/advisories/GHSA-7gcc-r8m5-44qm
GHSA-7gcc-r8m5-44qm		https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm
RHSA-2026:10184		https://access.redhat.com/errata/RHSA-2026:10184
RHSA-2026:7249		https://access.redhat.com/errata/RHSA-2026:7249

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/koajs/koa

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/ Found at https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/ Found at https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/ Found at https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27959

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.31286
EPSS Score	0.00125
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:50:51.828762+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/27xxx/CVE-2026-27959.json	38.6.0