Weekly CVE Digest — March 29, 2026
March 29, 2026 · PackageFix · 6 CVEs this week across npm, PyPI, Go, Rust
Two CRITICAL CVEs this week — mysql2 RCE and Werkzeug debugger bypass. Six total across npm, PyPI, Go, and Rust. Paste your manifest into PackageFix to check if you're affected.
CVE-2024-29041 — express
Affected: < 4.19.2 · Fix: 4.19.2
Open redirect via response.redirect() with user-controlled URLs. If your Express app passes any user input to res.redirect(), users can be sent to external attacker-controlled sites. Fix: update to 4.19.2.
CVE-2024-1135 — gunicorn
Affected: < 22.0.0 · Fix: 22.0.0
HTTP request smuggling via invalid Transfer-Encoding header. Any gunicorn deployment behind a reverse proxy (nginx, caddy, cloudflare) is potentially affected. Fix: update to 22.0.0.
CVE-2024-32650 — rustls
Affected: < 0.23.5 · Fix: 0.23.5
Infinite loop via crafted TLS certificate chain. Any Rust server using rustls that accepts TLS connections from untrusted clients is affected. Fix: update to 0.23.5.
CVE-2024-21508 — mysql2
Affected: < 3.9.7 · Fix: 3.9.7
Remote code execution via SQL injection in prepared statement handling. CRITICAL — update immediately if you use mysql2 with user-controlled input in preparedStatement.
CVE-2024-34069 — werkzeug
Affected: < 3.0.3 · Fix: 3.0.3
RCE via Werkzeug debugger PIN bypass. Only affects apps running with debug=True — which should never be production. But if your staging environment is exposed, this is critical. Fix: 3.0.3 + ensure debug=False in production.
CVE-2024-22189 — fiber
Affected: < v2.52.2 · Fix: v2.52.2
DoS via HTTP/2 CONTINUATION frames flood. Any Fiber server accepting HTTP/2 connections is affected. Related to the broader HTTP/2 vulnerability class from 2024. Fix: v2.52.2.
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser