UBUNTU-CVE-2026-27903

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, matchOne performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent GLOBSTAR...

GHSA-4XRR-HQ4W-6VF4 Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections

Summary The path sanitization in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. Details The tryfiles directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the...

Improper Neutralization of Equivalent Special Elements

Overview Affected versions of this package are vulnerable to Improper Neutralization of Equivalent Special Elements in matcher.go‎, when matching filenames using the tryfiles directive, which does not properly handle backslashes. An attacker can bypass security protections by exploiting glob...

Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections

Summary The path sanitization in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. Details The tryfiles directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the...

CVE-2026-27585 Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations...

SUSE CVE-2026-26996

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appea...

DEBIAN-CVE-2026-26996

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appea...

CVE-2026-26996

CVE-2026-26996 affects minimatch, a glob-to-RegExp utility. Versions 10.2.0 and earlier are vulnerable to a Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal not present in the test string. Each * creates a separate [^/]*?...

GHSA-3PPC-4F35-3M26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary minimatch is vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appear in the test string. Each compiles to a separate ^/? regex group, and when the match fails, V8's regex engine...

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary minimatch is vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appear in the test string. Each compiles to a separate ^/? regex group, and when the match fails, V8's regex engine...

PT-2026-20994

Name of the Vulnerable Software and Affected Versions minimatch versions 10.2.0 and below Description The software is susceptible to Regular Expression Denial of Service ReDoS when processing glob patterns containing numerous consecutive wildcards followed by a literal character absent from the...

nodejs:22 security update

nodejs 1:22.22.0-1 - Update to 22.22.0 Resolves: RHEL-141879 nodejs-nodemon 3.0.1-1 - Rebase to 3.0.1 - Resolves: CVE-2022-25883 2.0.20-2 - Patch bundled glob-parent - Resolves: CVE-2021-35065 2.0.20-1 - Rebase to 2.0.20 Resolves: CVE-2022-3517 2.0.15-1 - Resolves: RHBZ2005419 - Resolves...

nodejs:20 security update

nodejs 1:20.20.0-1 - Update to version 20.20.0 Resolves: RHEL-141917 nodejs-nodemon 3.0.1-1 - Rebase to 3.0.1 - Resolves: CVE-2022-25883 2.0.20-2 - Patch bundled glob-parent - Resolves: CVE-2021-35065 2.0.20-1 - Rebase to 2.0.20 Resolves: CVE-2022-3517 2.0.15-1 - Resolves: RHBZ2005419 - Resolves...

PT-2026-23538

Name of the Vulnerable Software and Affected Versions openclaw versions prior to 2026.2.14 Description The OpenClaw exec-approvals allowlist validation checks tokens before expansion, but execution uses shell expansion. This allows safe binaries like head, tail, or grep to read arbitrary local...

Security Bulletin: IBM Event Processing is vulnerable to command injection vulnerability (CVE-2025-64756)

Summary IBM Event Processing is vulnerable to command injection vulnerability due to Glob matches files. Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the improper handling of configuration files from default location, provided through the sshconfigparsefile and sshbindconfigparsefile functions and through glob wildcards. An...

Security Bulletin: IBM Event Endpoint Management is vulnerable to command injection vulnerability (CVE-2025-64756)

Summary IBM Event Endpoint Management is vulnerable to command injection vulnerability due to Glob matches files. Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses glob which is vulnerable to CVE-2025-64756.

Summary IBM Maximo Application Suite - Visual Inspection component uses glob which is vulnerable to CVE-2025-64756, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files using patterns the she...

Security Bulletin: Vulnerability affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files...

MiracleLinux 8 : glibc-2.28-127.el8 (AXSA:2020-1011:05)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-1011:05 advisory. glibc: array overflow in backtrace functions for powerpc CVE-2020-1751 glibc: use-after-free in glob function when expanding user CVE-2020-1752 glib...