Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for path-to-regexp by path-to-regexp

    CVE-2026-4926 (GCVE-0-2026-4926)

    Vulnerability from nvd – Published: 2026-03-26 18:59 – Updated: 2026-06-30 12:10
    VLAI
    Title
    path-to-regexp vulnerable to Denial of Service via sequential optional groups
    Summary
    Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    References
    Impacted products
    Vendor Product Version
    path-to-regexp path-to-regexp Affected: 8.0.0 , < 8.4.0 (semver)
    Unaffected: 8.4.0 (semver)
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8     cpe:/a:redhat:ansible_automation_platform:2.5::el8
        cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8
        cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 9     cpe:/a:redhat:ansible_automation_platform:2.5::el9
        cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9
        cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 9     cpe:/a:redhat:ansible_automation_platform:2.6::el9
        cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9
        cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Migration Toolkit for Virtualization 2.1     cpe:/a:redhat:migration_toolkit_virtualization:2.10::el9
    Create a notification for this product.
    Red Hat Migration Toolkit for Virtualization 2.9     cpe:/a:redhat:migration_toolkit_virtualization:2.9::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6     cpe:/a:redhat:ansible_automation_platform:2.6::el9
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.8     cpe:/a:redhat:rhdh:1.8::el9
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces 3.27     cpe:/a:redhat:openshift_devspaces:3.27::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift distributed tracing 3.9.3     cpe:/a:redhat:openshift_distributed_tracing:3.9::el9
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer 1.3     cpe:/a:redhat:trusted_artifact_signer:1.3::el9
    Create a notification for this product.
    Red Hat Logging Subsystem for Red Hat OpenShift     cpe:/a:redhat:logging:5
    Create a notification for this product.
    Red Hat Migration Toolkit for Applications 8     cpe:/a:redhat:migration_toolkit_applications:8
    Create a notification for this product.
    Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
    Create a notification for this product.
    Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2     cpe:/a:redhat:acm:2
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Developer Hub     cpe:/a:redhat:rhdh:1
    Create a notification for this product.
    Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
    Create a notification for this product.
    Red Hat Red Hat OpenShift GitOps     cpe:/a:redhat:openshift_gitops:1
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 10     cpe:/a:redhat:ansible_automation_platform:2.6::el10
        cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Red Hat Network Observability Operator     cpe:/a:redhat:network_observ_optr:1
    Create a notification for this product.
    Red Hat OpenShift Lightspeed     cpe:/a:redhat:openshift_lightspeed
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Red Hat Red Hat Trusted Profile Analyzer     cpe:/a:redhat:trusted_profile_analyzer:2
    Create a notification for this product.
    Credits
    uug4na blakeembrey UlisesGascon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4926",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-27T19:44:44.790485Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-27T19:44:53.294Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_virtualization:2.10::el9"
                ],
                "defaultStatus": "affected",
                "product": "Migration Toolkit for Virtualization 2.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_virtualization:2.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Migration Toolkit for Virtualization 2.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.8::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3.27::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces 3.27",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift distributed tracing 3.9.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer 1.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:logging:5"
                ],
                "defaultStatus": "affected",
                "product": "Logging Subsystem for Red Hat OpenShift",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_applications:8"
                ],
                "defaultStatus": "affected",
                "product": "Migration Toolkit for Applications 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Engine for Kubernetes",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Pipelines",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:edge_manager:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Edge Manager 1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_gitops:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift GitOps",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el10",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Cryostat 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:network_observ_optr:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Network Observability Operator",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_lightspeed"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Lightspeed",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apache_camel_hawtio:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel - HawtIO 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_registry:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apicurio Registry 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:container_native_virtualization:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Virtualization 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Process Automation 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quay:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Quay 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_profile_analyzer:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Trusted Profile Analyzer",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-03-26T18:59:38.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in path-to-regexp. A remote attacker could exploit this vulnerability by providing specially crafted input that generates a regular expression with multiple sequential optional groups. This leads to an exponential growth in the generated regular expression, causing a Denial of Service (DoS) due to excessive resource consumption."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1333",
                    "description": "Inefficient Regular Expression Complexity",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:34.415Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-4926"
              },
              {
                "name": "RHBZ#2451867",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451867"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4926.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24761"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24762"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:17789"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:19409"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:19410"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24866"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13545"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9742"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13826"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:10175"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9385"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:10172"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:10153"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:17789: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:19409: Migration Toolkit for Virtualization 2.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:19410: Migration Toolkit for Virtualization 2.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13545: Red Hat Ansible Automation Platform 2.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9742: Red Hat Developer Hub 1.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13826: Red Hat Developer Hub 1.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9385: Red Hat OpenShift distributed tracing 3.9.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:10172: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:10153: Red Hat Trusted Artifact Signer 1.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-03-26T20:03:28.427Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-03-26T18:59:38.000Z",
                "value": "Made public."
              }
            ],
            "title": "path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, limit the use of multiple sequential optional groups in route patterns within applications that use `path-to-regexp`. Additionally, avoid directly passing user-controlled input as route patterns to prevent the generation of maliciously crafted regular expressions."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/path-to-regexp",
              "product": "path-to-regexp",
              "vendor": "path-to-regexp",
              "versions": [
                {
                  "lessThan": "8.4.0",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "8.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "uug4na"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "blakeembrey"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "UlisesGascon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns."
                }
              ],
              "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T18:59:38.000Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "path-to-regexp vulnerable to Denial of Service via sequential optional groups",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-4926",
        "datePublished": "2026-03-26T18:59:38.000Z",
        "dateReserved": "2026-03-26T18:36:49.229Z",
        "dateUpdated": "2026-06-30T12:10:34.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4923 (GCVE-0-2026-4923)

    Vulnerability from nvd – Published: 2026-03-26 19:02 – Updated: 2026-03-27 13:58
    VLAI
    Title
    path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
    Summary
    Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    References
    Impacted products
    Vendor Product Version
    path-to-regexp path-to-regexp Affected: 8.0.0 , < 8.4.0 (semver)
    Unaffected: 8.4.0 (semver)
    Create a notification for this product.
    Credits
    blakeembrey UlisesGascon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4923",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-27T13:46:47.360477Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-27T13:58:03.925Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/path-to-regexp",
              "product": "path-to-regexp",
              "vendor": "path-to-regexp",
              "versions": [
                {
                  "lessThan": "8.4.0",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "8.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "blakeembrey"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "UlisesGascon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable."
                }
              ],
              "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T19:02:00.729Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-4923",
        "datePublished": "2026-03-26T19:02:00.729Z",
        "dateReserved": "2026-03-26T18:05:44.717Z",
        "dateUpdated": "2026-03-27T13:58:03.925Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4867 (GCVE-0-2026-4867)

    Vulnerability from nvd – Published: 2026-03-26 16:16 – Updated: 2026-03-26 16:52
    VLAI
    Title
    path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
    Summary
    Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. Patches: Upgrade to path-to-regexp@0.1.13 Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group. Workarounds: All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    path-to-regexp path-to-regexp Affected: 0 , < 0.1.13 (semver)
    Create a notification for this product.
    Credits
    EthanKim88 blakeembrey UlisesGascon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4867",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T16:52:08.810671Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T16:52:14.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/path-to-regexp",
              "product": "path-to-regexp",
              "vendor": "path-to-regexp",
              "versions": [
                {
                  "lessThan": "0.1.13",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "EthanKim88"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "blakeembrey"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "UlisesGascon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact:\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\nPatches:\n\nUpgrade to path-to-regexp@0.1.13\n\nCustom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.\n\nWorkarounds:\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length."
                }
              ],
              "value": "Impact:\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\nPatches:\n\nUpgrade to path-to-regexp@0.1.13\n\nCustom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.\n\nWorkarounds:\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T16:16:25.501Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j"
            },
            {
              "url": "https://blakeembrey.com/posts/2024-09-web-redos"
            },
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-4867",
        "datePublished": "2026-03-26T16:16:25.501Z",
        "dateReserved": "2026-03-25T20:11:53.714Z",
        "dateUpdated": "2026-03-26T16:52:14.893Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4923 (GCVE-0-2026-4923)

    Vulnerability from cvelistv5 – Published: 2026-03-26 19:02 – Updated: 2026-03-27 13:58
    VLAI
    Title
    path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
    Summary
    Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    References
    Impacted products
    Vendor Product Version
    path-to-regexp path-to-regexp Affected: 8.0.0 , < 8.4.0 (semver)
    Unaffected: 8.4.0 (semver)
    Create a notification for this product.
    Credits
    blakeembrey UlisesGascon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4923",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-27T13:46:47.360477Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-27T13:58:03.925Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/path-to-regexp",
              "product": "path-to-regexp",
              "vendor": "path-to-regexp",
              "versions": [
                {
                  "lessThan": "8.4.0",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "8.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "blakeembrey"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "UlisesGascon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable."
                }
              ],
              "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T19:02:00.729Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-4923",
        "datePublished": "2026-03-26T19:02:00.729Z",
        "dateReserved": "2026-03-26T18:05:44.717Z",
        "dateUpdated": "2026-03-27T13:58:03.925Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4926 (GCVE-0-2026-4926)

    Vulnerability from cvelistv5 – Published: 2026-03-26 18:59 – Updated: 2026-06-30 12:10
    VLAI
    Title
    path-to-regexp vulnerable to Denial of Service via sequential optional groups
    Summary
    Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    References
    Impacted products
    Vendor Product Version
    path-to-regexp path-to-regexp Affected: 8.0.0 , < 8.4.0 (semver)
    Unaffected: 8.4.0 (semver)
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8     cpe:/a:redhat:ansible_automation_platform:2.5::el8
        cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8
        cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 9     cpe:/a:redhat:ansible_automation_platform:2.5::el9
        cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9
        cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 9     cpe:/a:redhat:ansible_automation_platform:2.6::el9
        cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9
        cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Migration Toolkit for Virtualization 2.1     cpe:/a:redhat:migration_toolkit_virtualization:2.10::el9
    Create a notification for this product.
    Red Hat Migration Toolkit for Virtualization 2.9     cpe:/a:redhat:migration_toolkit_virtualization:2.9::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6     cpe:/a:redhat:ansible_automation_platform:2.6::el9
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.8     cpe:/a:redhat:rhdh:1.8::el9
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces 3.27     cpe:/a:redhat:openshift_devspaces:3.27::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift distributed tracing 3.9.3     cpe:/a:redhat:openshift_distributed_tracing:3.9::el9
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer 1.3     cpe:/a:redhat:trusted_artifact_signer:1.3::el9
    Create a notification for this product.
    Red Hat Logging Subsystem for Red Hat OpenShift     cpe:/a:redhat:logging:5
    Create a notification for this product.
    Red Hat Migration Toolkit for Applications 8     cpe:/a:redhat:migration_toolkit_applications:8
    Create a notification for this product.
    Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
    Create a notification for this product.
    Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2     cpe:/a:redhat:acm:2
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Developer Hub     cpe:/a:redhat:rhdh:1
    Create a notification for this product.
    Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
    Create a notification for this product.
    Red Hat Red Hat OpenShift GitOps     cpe:/a:redhat:openshift_gitops:1
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 10     cpe:/a:redhat:ansible_automation_platform:2.6::el10
        cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Red Hat Network Observability Operator     cpe:/a:redhat:network_observ_optr:1
    Create a notification for this product.
    Red Hat OpenShift Lightspeed     cpe:/a:redhat:openshift_lightspeed
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Red Hat Red Hat Trusted Profile Analyzer     cpe:/a:redhat:trusted_profile_analyzer:2
    Create a notification for this product.
    Credits
    uug4na blakeembrey UlisesGascon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4926",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-27T19:44:44.790485Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-27T19:44:53.294Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_virtualization:2.10::el9"
                ],
                "defaultStatus": "affected",
                "product": "Migration Toolkit for Virtualization 2.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_virtualization:2.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Migration Toolkit for Virtualization 2.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.8::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3.27::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces 3.27",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift distributed tracing 3.9.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer 1.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:logging:5"
                ],
                "defaultStatus": "affected",
                "product": "Logging Subsystem for Red Hat OpenShift",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_applications:8"
                ],
                "defaultStatus": "affected",
                "product": "Migration Toolkit for Applications 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Engine for Kubernetes",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Pipelines",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:edge_manager:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Edge Manager 1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_gitops:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift GitOps",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el10",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Cryostat 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:network_observ_optr:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Network Observability Operator",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_lightspeed"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Lightspeed",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apache_camel_hawtio:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel - HawtIO 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_registry:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apicurio Registry 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:container_native_virtualization:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Virtualization 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Process Automation 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quay:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Quay 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_profile_analyzer:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Trusted Profile Analyzer",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-03-26T18:59:38.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in path-to-regexp. A remote attacker could exploit this vulnerability by providing specially crafted input that generates a regular expression with multiple sequential optional groups. This leads to an exponential growth in the generated regular expression, causing a Denial of Service (DoS) due to excessive resource consumption."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1333",
                    "description": "Inefficient Regular Expression Complexity",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:34.415Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-4926"
              },
              {
                "name": "RHBZ#2451867",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451867"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4926.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24761"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24762"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:17789"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:19409"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:19410"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24866"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13545"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9742"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13826"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:10175"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9385"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:10172"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:10153"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:17789: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:19409: Migration Toolkit for Virtualization 2.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:19410: Migration Toolkit for Virtualization 2.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13545: Red Hat Ansible Automation Platform 2.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9742: Red Hat Developer Hub 1.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13826: Red Hat Developer Hub 1.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9385: Red Hat OpenShift distributed tracing 3.9.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:10172: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:10153: Red Hat Trusted Artifact Signer 1.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-03-26T20:03:28.427Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-03-26T18:59:38.000Z",
                "value": "Made public."
              }
            ],
            "title": "path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, limit the use of multiple sequential optional groups in route patterns within applications that use `path-to-regexp`. Additionally, avoid directly passing user-controlled input as route patterns to prevent the generation of maliciously crafted regular expressions."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/path-to-regexp",
              "product": "path-to-regexp",
              "vendor": "path-to-regexp",
              "versions": [
                {
                  "lessThan": "8.4.0",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "8.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "uug4na"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "blakeembrey"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "UlisesGascon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns."
                }
              ],
              "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T18:59:38.000Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "path-to-regexp vulnerable to Denial of Service via sequential optional groups",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-4926",
        "datePublished": "2026-03-26T18:59:38.000Z",
        "dateReserved": "2026-03-26T18:36:49.229Z",
        "dateUpdated": "2026-06-30T12:10:34.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4867 (GCVE-0-2026-4867)

    Vulnerability from cvelistv5 – Published: 2026-03-26 16:16 – Updated: 2026-03-26 16:52
    VLAI
    Title
    path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
    Summary
    Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. Patches: Upgrade to path-to-regexp@0.1.13 Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group. Workarounds: All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    path-to-regexp path-to-regexp Affected: 0 , < 0.1.13 (semver)
    Create a notification for this product.
    Credits
    EthanKim88 blakeembrey UlisesGascon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4867",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T16:52:08.810671Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T16:52:14.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/path-to-regexp",
              "product": "path-to-regexp",
              "vendor": "path-to-regexp",
              "versions": [
                {
                  "lessThan": "0.1.13",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "EthanKim88"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "blakeembrey"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "UlisesGascon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact:\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\nPatches:\n\nUpgrade to path-to-regexp@0.1.13\n\nCustom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.\n\nWorkarounds:\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length."
                }
              ],
              "value": "Impact:\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\nPatches:\n\nUpgrade to path-to-regexp@0.1.13\n\nCustom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.\n\nWorkarounds:\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T16:16:25.501Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j"
            },
            {
              "url": "https://blakeembrey.com/posts/2024-09-web-redos"
            },
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-4867",
        "datePublished": "2026-03-26T16:16:25.501Z",
        "dateReserved": "2026-03-25T20:11:53.714Z",
        "dateUpdated": "2026-03-26T16:52:14.893Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }