CVE-2026-53624

Severity CVSS v4.0:
Pending analysis
Type:
CWE-319 Cleartext Transmission of Sensitive Information
Publication date:
08/07/2026
Last modified:
15/07/2026

Description

Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:* 3.4.0 (excluding)