Sign In

CVE-2026-4926

ADVISORY - github

Summary

Impact

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches

Fixed in version 8.4.0.

Workarounds

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

EPSS Score: 0.0004 (0.121)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-1333

Inefficient Regular Expression Complexity

CWE-400

Uncontrolled Resource Consumption

ADVISORY - github

CWE-1333

Inefficient Regular Expression Complexity

CWE-400

Uncontrolled Resource Consumption

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-4926
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1333CWE-400

CVSS SCORE

7.5high

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-j3q9-mxjg-w52f
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1333CWE-400

CVSS SCORE

7.5high

Debian

CREATED

UPDATED

ADVISORY IDCVE-2026-4926
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY