CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-4926

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 16.3%

CVSS Severity

CVSS v3 Score 7.5

References

https://cna.openjsf.org/security-advisories.html

Products affected by CVE-2026-4926

Pillarjs » Path-To-Regexp » Version: Any

cpe:2.3:a:pillarjs:path-to-regexp:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-4926

Products

Pricing

Contact Us