Regular Expression Denial of Service (ReDoS)

Overview js-video-url-parser is an A parser to extract provider, video id, starttime and others from YouTube, Vimeo, ... urls Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the getTime function in lib/util.js. An attacker can cause excessive...

@1eg/theme-editor-cli (>=0.13.0 <=1.17.0), @aicontextlab/cli (>=0.0.0-dev <=0.2.2) +314 more potentially affected by CVE-2026-5986 via js-video-url-parser (>=0.2.8 <=0.5.1)

js-video-url-parser NPM version =0.2.8, =0.13.0, =0.0.0-dev, =0.2.5, =1.0.103, =0.12.77, =0.1.0, =0.1.136, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.10 and more Source cves: CVE-2026-5986 Source advisory: SNYK:JS-JSVIDEOURLPARSER-15995499...

@1eg/theme-editor-cli (>=0.13.0 <=1.17.0), @aicontextlab/cli (>=0.0.0-dev <=0.2.2) +314 more potentially affected by CVE-2026-5986 via js-video-url-parser (>=0.2.8 <=0.5.1)

js-video-url-parser NPM version =0.2.8, =0.13.0, =0.0.0-dev, =0.2.5, =1.0.103, =0.12.77, =0.1.0, =0.1.136, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.10 and more Source cves: CVE-2026-5986 Source advisory: OSV:GHSA-8FGX-WGVR-PCX8...

EUVD-2026-21236

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit ha...