CVE-2026-10691 wonderwhy-er DesktopCommanderMCP start_search search-manager.ts redos

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component startsearch. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It is...

GHSA-R7G9-XPMJ-5FCQ LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

Summary The built-in striphtml filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many |||/g, '' The regex contains four lazy patterns: 1. 2. 3. 4. For an input like 'script'.repeatN, the engine encounters N starting positions. At each one it mus...

Unity Linux 20.1060e / 20.1070e Security Update: python-flask-restx (UTSA-2026-016606)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016606 advisory. Flask-RESTX pypi package flask-restx is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS Regular Expression Denial ...

Astra Linux - уязвимость в node-semver

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service ReDoS via the function new Range, when untrusted user data is provided as a range...

Astra Linux - уязвимость в jinja2

This issue affects the Jinja2 package versions starting from 0.0.0 and earlier than 2.11.3. The ReDoS vulnerability is primarily caused by the punctuationre regex operator and its use of multiple wildcards. The last wildcard is the most exploitable, as it is used to search for trailing punctuatio...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.10.0 Vulnerability Details CVEID:CVE-2025-69873 DESCRIPTION: ajv Another JSON Schema Validator before 8.18.0 is vulnerable to Regular Expression Denial of Service ReDoS when the $data option is...

CLSA-2026-1779099998 ruby: Fix of CVE-2023-28755

CVE-2023-28755: fix ReDoS in URI parser by converting greedy quantifiers to possessive quantifiers in RFC3986URI and RFC3986relativeref...

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

CLSA-2026-1778979189 Fix CVE(s): CVE-2024-6232, CVE-2024-7592, CVE-2024-9287

SECURITY UPDATE: ReDoS in tarfile PAX header parsing - debian/patches/CVE-2024-6232.patch: rewrite Lib/tarfile.py PAX-record parser to scan length-prefixed records via a bounded regex headerlengthprefixre plus direct slicing, eliminating quadratic backtracking in three pre-existing regexes. Adapt...

NPM: Svelte: ReDoS in `<svelte:element>` Tag Validation

NPM: Svelte: ReDoS in Tag Validation vulnerability discovered by ? in WordPress Npm svelte versions = 5.51.5, = 5.55.6...

CLSA-2026-1778505256 python: Fix of 2 CVEs

CVE-2021-3733: fix ReDoS in urllib2 AbstractBasicAuthHandler regex; the legacy '?:.,' prefix is replaced with the upstream-3.x form '?:^|,' and the scheme charset excludes ',' to prevent quadratic backtracking on crafted WWW-Authenticate headers - CVE-2021-23336: stop accepting ';' as a default...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-jinja2 (UTSA-2026-017474)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017474 advisory. This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the punctuationre regex operator and its use of multiple...

SUSE CVE-2026-33079

In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS Regular Expression Denial of Service vulnerability in LINKTITLERE that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in picomatch-2.3.1.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in picomatch-2.3.1.tgz Vulnerability Details CVEID:CVE-2026-33671 DESCRIPTION: Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service ReDoS...

Security update for rmt-server

This update for rmt-server fixes the following issues: Update to version 2.27. Security issues fixed: CVE-2026-26961: rack: greedy multipart boundary parsing can lead to parser differentials and WAF bypass bsc1261398. CVE-2026-26962: rack: improper unfolding of folded multipart headers can lead t...

SUSE-SU-2026:1745-1 Security update for rmt-server

This update for rmt-server fixes the following issues: Update to version 2.27. Security issues fixed: - CVE-2026-26961: rack: greedy multipart boundary parsing can lead to parser differentials and WAF bypass bsc1261398. - CVE-2026-26962: rack: improper unfolding of folded multipart headers can le...

CVE-2026-33079

In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS Regular Expression Denial of Service vulnerability in LINKTITLERE that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping...

Security Bulletin: There is a vulnerability in picomatch-2.3.1.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-33671)

Summary There is a vulnerability in picomatch-2.3.1.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-33671 DESCRIPTION: Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regula...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses picomatch-2.3.1.tgz which is vulnerable to CVE-2026-33671, CVE-2026-33672.

Summary IBM Maximo Application Suite - Monitor Component uses picomatch-2.3.1.tgz which is vulnerable to CVE-2026-33671, CVE-2026-33672. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-33671 DESCRIPTION: Picomatch is a glob matcher written...

Astra Linux - уязвимость в ruby2.5, jruby

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2...