Lucene search
K

8483 matches found

Veracode
Veracode
added 2026/04/08 2:54 p.m.5 views

Regular Expression Denial Of Service (ReDoS)

minimatch is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to unbounded recursive processing in matchOne when handling multiple non-adjacent GLOBSTAR patterns, which allows an attacker to supply crafted glob inputs that significantly delay execution and block...

7.5CVSS6AI score0.00517EPSS
Exploits1References3Affected Software1
RedHat Linux
RedHat Linux
added 2026/04/08 1:58 p.m.6 views

minimatch: minimatch: Denial of Service via specially crafted glob patterns

A flaw was found in minimatch. A remote attacker could exploit this Regular Expression Denial of Service ReDoS vulnerability by providing a specially crafted glob pattern. This pattern, containing numerous consecutive wildcard characters, causes excessive processing and exponential backtracking i...

8.7CVSS5.9AI score0.00519EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/04/08 12:12 a.m.8 views

Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

Summary The Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters ;, |, $, , , , etc. to pass through into...

7.2CVSS6.1AI score0.00563EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/08 12:5 a.m.7 views

Addressable has a Regular Expression Denial of Service in Addressable templates

Impact Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking: 1. Templates using the explode modifier with any expansion operator e.g., foo, +var, var, /var, .var, ;var, ?var, &var generate patterns...

7.5CVSS5.8AI score0.0036EPSS
Exploits0References4Affected Software1
RubySec
RubySec
added 2026/04/08 12:0 a.m.11 views

Addressable has a Regular Expression Denial of Service in Addressable templates

Impact Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking: 1. Templates using the explode modifier with any expansion operator e.g., foo, +var, var, /var, .var, ;var, ?var, &var generate patterns...

7.5CVSS5.8AI score0.0036EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.6 views

CVE-2026-35213

@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...

8.7CVSS5.9AI score0.00413EPSS
Exploits0References1
OSV
OSV
added 2026/04/07 6:16 p.m.1 views

GHSA-FMWG-QCQH-M992 Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature

Summary Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely. Details Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns...

8.7CVSS5.8AI score0.00497EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/07 4:38 p.m.1 views

CVE-2026-35611 Addressable has a Regular Expression Denial of Service in Addressable templates

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking...

7.5CVSS5.8AI score0.0036EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/07 2:24 p.m.16 views

CVE-2026-35458 Gotenberg has a ReDoS via extraHttpHeaders scope feature

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely...

8.7CVSS0.00497EPSS
Exploits1References1
NVD
NVD
added 2026/04/06 9:16 p.m.11 views

CVE-2026-35213

@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...

8.7CVSS0.00413EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/06 8:8 p.m.17 views

CVE-2026-35213 Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing

@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...

8.7CVSS0.00413EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/06 8:8 p.m.4 views

CVE-2026-35213

@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...

8.7CVSS5.9AI score0.00413EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/06 8:8 p.m.96 views

CVE-2026-35213

CVE-2026-35213 affects the @hapi/content package: three regexes used to parse Content-Type and Content-Disposition headers enable Regular Expression Denial of Service (ReDoS) via crafted header values. All versions up to 6.0.0 are vulnerable; remediation is to upgrade to 6.0.1 where the issue is ...

8.7CVSS5.9AI score0.00413EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/05 2:50 a.m.2 views

OPENSUSE-SU-2026:20464-1 Security update for cockpit-repos

This update for cockpit-repos fixes the following issue: - CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive wildcards followed by a literal character that doesn't appear in the test string bsc1258637...

8.7CVSS6.7AI score0.00519EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/05 12:0 a.m.7 views

PT-2026-30481

PilusCart 1.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter. Attackers can submit POST requests to the comment submission endpoint with RLIKE-based boolean SQL injection payloads to...

8.8CVSS6.1AI score0.00377EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/04 4:23 a.m.11 views

Regular Expression Denial of Service (ReDoS)

Overview @hapi/content is a HTTP Content- headers parsing Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS through the Content-Type and Content-Disposition header parsing. An attacker can cause the application to become unresponsive by sending a singl...

8.7CVSS5.9AI score0.00413EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/04 4:23 a.m.8 views

@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing

All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This has been...

8.7CVSS5.4AI score0.00413EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/04/03 10:52 p.m.13 views

CVE-2026-34939

PraisonAI is vulnerable to a Regular Expression Denial of Service (ReDoS) through MCPToolIndex.search_tools(), where the function compiles a caller-supplied string directly into a Python regex with no validation or timeout. A crafted pattern can trigger catastrophic backtracking, blocking the Pyt...

7.5CVSS5.8AI score0.00402EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/03 10:52 p.m.3 views

CVE-2026-34939

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.searchtools compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python...

6.5CVSS5.8AI score0.00402EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:35 p.m.6 views

Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect

Summary Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex...

7.5CVSS5.8AI score0.00209EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder