CVE-2026-4867

Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period .. For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in [email protected] only prevents ambiguity for two...

CVE-2026-32098

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause th...

CVE-2026-2277

The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-30837

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String format: 'url' is vulnerable to ReDoS. Repeating a partial url format protocol and hostname multiple times cause regex to slow down...

OpenClaw Denial of Service Vulnerability (CNVD-2026-15152)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw has a denial of service hole that can be exploited by attackers to cause regular expression injection and denial of service...

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS when processing crafted extglob patterns. An attacker can cause excessive CPU consumption and block the event loop by supplying crafted extglob patterns that trigger catastrophic backtracking i...

GHSA-C2C7-RCM5-VVQJ Picomatch has a ReDoS vulnerability via extglob quantifiers

Impact picomatch is vulnerable to Regular Expression Denial of Service ReDoS when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as + and , especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that c...

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS when processing crafted extglob patterns. An attacker can cause excessive CPU consumption and block the event loop by supplying crafted extglob patterns that trigger catastrophic backtracking i...

Picomatch has a ReDoS vulnerability via extglob quantifiers

Impact picomatch is vulnerable to Regular Expression Denial of Service ReDoS when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as + and , especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that c...

PT-2026-28173

Name of the Vulnerable Software and Affected Versions Picomatch versions prior to 4.0.4 Picomatch versions prior to 3.0.2 Picomatch versions prior to 2.3.2 Description Picomatch, a JavaScript glob matcher, contains a flaw where specially crafted POSIX bracket expressions, such as :constructor:, c...

CVE-2026-23920

Host and event action script input is validated with a regex set by the administrator, but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands...

CVE-2026-23920

Host and event action script input is validated with a regex set by the administrator, but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands...

CVE-2026-23920 Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection

Host and event action script input is validated with a regex set by the administrator, but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands...

CVE-2026-33418

DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafti...

Regular Expression Denial of Service (ReDoS)

Overview activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in numbertodelimited in the NumberToDelimitedConverter. An attacker can cause...

CVE-2026-33169 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. NumberToDelimitedConverter uses a lookahead-based regular expression with gsub! to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between th...

GHSA-CG4J-Q9V8-6V38 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. Releases The fixed releases are available at the normal locations. Credit This issue was responsibly reported by Hackerone...

Python -- configparser vulnerable to excessive CPU use

Stan Ulbrych reports: configparser.RawConfigParser.OPTCRE,OPTCRENV regexes are vulnerable to quadratic backtracking...

Rails 安全漏洞

Rails is an open-source web application framework based on the Ruby language, developed by the Rails team in the United States. Vulnerabilities exist in versions of Rails prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. These vulnerabilities stem from a problem with regular expressions that involves...

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the AdlLexer class in the archetype.py file. A user can cause excessive resource consumption. Details Denial of Service DoS describes a family of attacks, all aimed at making a system...