CVE-2025-69873

ajv Another JSON Schema Validator before 8.18.0 is vulnerable to Regular Expression Denial of Service ReDoS when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax $data reference, which is passed directly to the JavaScript RegExp constructor without...

CVE-2026-26006

AutoGPT (significant-gravitas/autogpt) before version 0.6.32 is vulnerable in the Code Extraction Block due to two adjacent quantifiers in regex patterns that can cause catastrophic backtracking with long sequences of spaces, leading to DoS. The fix is to upgrade to 0.6.32. If upgrading is not po...

CVE-2026-25478

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch for validation. Because metacharacters are not escaped, a malicious origin can match...

CVE-2026-0965

A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service DoS by causing the system t...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the matchpattern function due to inefficient processing of the complex regular expressions. An attacker can cause resource exhaustion by supplying specially crafted input that...

libssh 安全漏洞

libssh is a C-language development package from the libssh organization that allows access to SSH services. It can execute remote commands, transfer files, and provide a secure transmission channel for remote programs. libssh has security vulnerabilities, which stem from inefficient regular...

AutoGPT 安全漏洞

AutoGPT is an open-source tool developed by AutoGPT. It aims to make AI accessible and usable for everyone. Versions of AutoGPT prior to 0.6.32 contain security vulnerabilities. These vulnerabilities stem from dangerous patterns in the regular expressions used in code extraction blocks, which cou...

PT-2026-7216

Name of the Vulnerable Software and Affected Versions affected versions not specified Description An authenticated attacker with standard user privileges and network access can cause a denial-of-service condition by repeatedly calling a remotely enabled function module with a very large...

PT-2026-7472

Name of the Vulnerable Software and Affected Versions AutoGPT versions prior to 0.6.32 Description AutoGPT is a platform for creating, deploying, and managing continuous artificial intelligence agents that automate complex workflows. Versions of AutoGPT before 0.6.32 contain a Regular Expression...

Incorrect Regular Expression

Overview litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Incorrect Regular Expression via the allowedhosts host validation. An attacker can gain unauthorized access by supplying a specially crafted...

CVE-2026-25479

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, in litestar.middleware.allowedhosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning e.g., . matches any character. This enables a bypass...

CVE-2026-25478 Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch for validation. Because metacharacters are not escaped, a malicious origin can match...

CVE-2026-25478

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch for validation. Because metacharacters are not escaped, a malicious origin can match...

CVE-2026-25478 Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch for validation. Because metacharacters are not escaped, a malicious origin can match...

Litestar 安全漏洞

Litestar is a powerful, flexible, yet stubbornly opinionated ASGI framework developed by Litestar itself. Versions of Litestar prior to 2.20.0 contained security vulnerabilities, which stemmed from the lack of escaping regular expression metacharacters, potentially allowing malicious sources to...

RubyGems: Server-side ReDoS via user-controlled regex in OIDC Access Policy

The OIDC Access Policy implementation evaluated user-supplied regular expressions against JWT claim values using Ruby's Regexp engine without any timeout or complexity validation. The vulnerable code path was Regexp.newvalue.match?claimvalue, where value was fully user-controlled and claimvalue w...

Regular Expression Denial of Service (ReDoS)

Overview apollo-server is a Production ready GraphQL Server Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the startStandaloneServer function. An attacker can cause the server to become unresponsive by sending specially crafted request bodies wi...

Regular Expression Denial of Service (ReDoS)

Overview @apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the startStandaloneServer...

brace-expansion 安全漏洞

Brace-expansion is a JavaScript extension developed by Julian Gruber. Versions prior to brace-expansion 5.0.1 contained a security vulnerability due to an unbounded parentheses expansion mechanism, which could lead to regular expression denial-of-service attacks...

CVE-2026-25155

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0...