Sign In

CVE-2026-4926

ADVISORY - github

Summary

Impact

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches

Fixed in version 8.4.0.

Workarounds

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

EPSS Score: 0.0004 (0.121)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-1333

Inefficient Regular Expression Complexity

CWE-400

Uncontrolled Resource Consumption

ADVISORY - github

CWE-1333

Inefficient Regular Expression Complexity

CWE-400

Uncontrolled Resource Consumption

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in