CVE-2026-26996 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appea...

CVE-2026-26996

CVE-2026-26996 affects minimatch, a glob-to-RegExp utility. Versions 10.2.0 and earlier are vulnerable to a Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal not present in the test string. Each * creates a separate [^/]*?...

CVE-2026-26996

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appea...

Atlassian Confluence 9.0.0 < 9.2.14 / 9.2.15 / 9.3.1 < 10.2.3 / 10.2.6 (CONFSERVER-102186)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-102186 advisory. - Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of...

PT-2026-20870

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath...

Regular Expression Denial of Service (ReDoS)

Overview minimatch is a minimal matching utility. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the AST class, caused by catastrophic backtracking when an input string contains many characters in a row, followed by an unmatched character. Detail...

GHSA-3PPC-4F35-3M26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary minimatch is vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appear in the test string. Each compiles to a separate ^/? regex group, and when the match fails, V8's regex engine...

Exploit for Expression Language Injection in Vmware Spring_Data_Mongodb

SpringData - SpEL RCE Exploit - CVE-2022-22980 Exploit pour l...

Denial Of Service (DoS)

ajv is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to passing attacker-controlled values from $data references directly into the JavaScript RegExp constructor without validation. This allowing malicious regex patterns that trigger catastrophic backtracking a...

CVE-2026-2641

A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on t...

UBUNTU-CVE-2026-2641

A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on t...

CVE-2026-2641

A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on t...

Regular Expression Denial of Service (ReDoS) Detector

This Metasploit auxiliary module implements a scientific approach to detecting and validating ReDoS vulnerabilities in HTTP-based applications. It leverages context-aware payload generation, length progression testing, and statistical analysis to identify inefficient regular expressions that may...

dompurify: Mutation XSS in DOMPurify Due to Improper Template Literal Handling

A flaw was found in DOMPurify. This vulnerability allows attackers to execute mutation-based Cross-site scripting mXSS via an incorrect template literal regular expression...

CVE-2026-25227

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server contain...

CVE-2026-26190 Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath...

CVE-2026-26190 Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath...

CVE-2026-26190

Milvus prior to versions 2.5.27 and 2.6.10 exposes TCP 9091 by default, enabling authentication bypasses. The /expr debug endpoint uses a weak default token (etcd.rootPath, default: by-dev) allowing arbitrary expression evaluation. The REST API (/api/v1/*) is registered on the metrics/management ...

SUSE CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service ReDoS due to the use of the regex /+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers...

CVE-2026-0967

A flaw was found in libssh. A remote attacker, by controlling client configuration files or knownhosts files, could craft specific hostnames that when processed by the matchpattern function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion,...