CVE-2026-53624
Severity CVSS v4.0:
Pending analysis
Type:
CWE-319
Cleartext Transmission of Sensitive Information
Publication date:
08/07/2026
Last modified:
10/07/2026
Description
Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0.
Impact
Base Score 3.x
4.80
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/gofiber/fiber/commit/04dd4e7754f61768fddccacc79057e416f13e6bf
- https://github.com/gofiber/fiber/pull/4389
- https://github.com/gofiber/fiber/releases/tag/v3.4.0
- https://github.com/gofiber/fiber/security/advisories/GHSA-gv83-gqw6-9j2c
- https://github.com/gofiber/fiber/security/advisories/GHSA-gv83-gqw6-9j2c



