4106 matches found
CVE-2026-13221
Perl versions up to 5.43.9 have a regex matching bug when compiling an alternation of more than 65,535 fixed-string branches into a trie in Perl_study_chunk. In this case the delta between the first branch and the shared tail is stored in a 16‑bit field; a branch count above 65,535 overflows this...
modoboa 2.0.4 - Admin TakeOver
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4. id: CVE-2023-0777 info: name: modoboa 2.0.4 - Admin TakeOver author: r3Y3r53 severity: critical description: | Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to...
Budibase - Authentication Bypass
Budibase = 3.31.4 contains an authentication bypass caused by unanchored regex in authorized middleware matching webhook path patterns in query strings, letting unauthenticated remote attackers access any server-side API endpoint, exploit requires crafted request with webhook pattern in URL. id:...
Loytec LGATE-902 <6.4.2 - Local File Inclusion
Loytec LGATE-902 versions prior to 6.4.2 suffers from a local file inclusion vulnerability. id: CVE-2018-14916 info: name: Loytec LGATE-902 6.4.2 - Local File Inclusion author: 0xAkoko severity: critical description: Loytec LGATE-902 versions prior to 6.4.2 suffers from a local file inclusion...
Webmin < 1.920 - Authenticated Remote Code Execution
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialisevariable makes an eval call. NOTE: the WebminServersIndex documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must...
CVE-2026-54760
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.1, the SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only statement allowlist...
CVE-2026-54760
CVE-2026-54760: Langroid’s SQLChatAgent dangerous-function blocklist can be bypassed. Prior to version 0.65.1, the mitigation combines a raw-text regex (_DANGEROUS_SQL_PATTERNS) with a sqlglot-based SELECT-only allowlist. Attackers can defeat the regex using PostgreSQL forms such as quoted identi...
CVE-2026-59220
Open WebUI (self-hosted AI platform) has a ReDoS in theSkill mention handling. In versions before 0.10.0, the SKILL_MENTION_RE and strip_re regexes in backend/open_webui/utils/middleware.py parsed mentions with overlapping quantifiers, allowing an authenticated user to send a message containing ...
CVE-2026-59220
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILLMENTIONRE and stripre regular expressions in backend/openwebui/utils/middleware.py parsed skill mentions with overlapping quantifiers, allowing an authenticated chat message...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Amendment This was deemed not a vulnerability. Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by...
CVE-2026-55470
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matchessw...
CVE-2026-55470
CVE-2026-55470 affects the DSTU2 module of HAPI FHIR (org.hl7.fhir.dstu2) where FHIRPathEngine.matches() still uses raw String.matches(sw) with no RegexTimeout, enabling unauthenticated attackers to trigger catastrophic regex backtracking and exhaust CPU. The issue is resolved by upgrading to 6.9...
CVE-2026-55470 HAPI FHIR: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matchessw...
CVE-2026-55470
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matchessw...
CVE-2026-15154 Guardrails-detectors: guardrails-detectors: unauthenticated regular-expression denial of service (redos) via detector_params.regex
A flaw was found in guardrails-detectors, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service ReDoS, allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking,...
CVE-2026-15154
A flaw was found in guardrails-detectors, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service ReDoS, allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking,...
CVE-2026-55574
A flaw was found in vLLM, a high-throughput and memory-efficient inference and serving engine for large language models LLMs. A remote attacker could exploit this vulnerability by providing a specially crafted regular expression to the structuredoutputs.regex API parameter. This adversarial regex...