2 matches found
CVE-2026-33671
Picomatch (JavaScript glob matcher) is affected by CVE-2026-33671. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to ReDoS via extglob patterns, where patterns like +() and *() can cause catastrophic backtracking in generated regular expressions, potentially blocking the Node.js event l...
CVE-2026-33672
CVE-2026-33672 affects the Picomatch glob matcher used in JavaScript. The vulnerability stems from a method-injection in the POSIX_REGEX_SOURCE object, which inherits from Object.prototype. Attackers can craft POSIX bracket expressions (for example, [[:constructor:]]) that reference inherited met...