Weekly CVE Digest — April 1, 2026
Two CRITICAL CVEs this week: mysql2 RCE and Werkzeug debugger bypass. Six total across npm, PyPI, Go, and Rust. Paste your manifest into PackageFix to check if you are affected.
CVE-2024-29041 — express MEDIUM
Ecosystem: npm Affected: 4.17.x Fix: 4.19.2
Open redirect via res.redirect() with user-controlled URLs. Any Express app passing user input to res.redirect() is affected. Common in OAuth callback handlers. Fix: update to 4.19.2.
CVE-2024-21508 — mysql2 CRITICAL
Ecosystem: npm Affected: below 3.9.7 Fix: 3.9.7
Remote code execution via SQL injection in prepared statement handling. CRITICAL - update immediately if your app uses mysql2 with any user-controlled input in queries.
CVE-2024-34069 — Werkzeug CRITICAL
Ecosystem: PyPI Affected: below 3.0.3 Fix: 3.0.3
RCE via Werkzeug debugger PIN bypass. Only affects apps running with debug=True. Never run debug mode in production. Update to 3.0.3 and verify APP_DEBUG=False.
CVE-2024-22189 — fiber HIGH
Ecosystem: Go Affected: below v2.52.2 Fix: v2.52.2
DoS via HTTP/2 CONTINUATION frames flood. Any Fiber server accepting HTTP/2 connections is affected. Part of the broader 2024 HTTP/2 vulnerability class.
CVE-2024-32650 — rustls HIGH
Ecosystem: Rust Affected: below 0.23.5 Fix: 0.23.5
Infinite loop via crafted TLS certificate chain. Any Rust server using rustls that processes TLS connections from untrusted clients is affected.
CVE-2024-1135 — gunicorn HIGH
Ecosystem: PyPI Affected: below 22.0.0 Fix: 22.0.0
HTTP request smuggling via invalid Transfer-Encoding header. Affects all gunicorn deployments behind a reverse proxy. Update to 22.0.0.
Paste your manifest — PackageFix scans every dependency against OSV and CISA KEV instantly.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser