CVE-2026-21868

Name of the Vulnerable Software and Affected Versions Flag Forge versions 2.3.2 and below

Description Flag Forge is a Capture The Flag (CTF) platform susceptible to a Regular Expression Denial of Service (ReDoS) condition. The issue resides in the user profile API endpoint, /api/user/[username]. The application dynamically builds a regular expression using unescaped user input, specifically the username parameter. An attacker can exploit this by providing a specially crafted username containing regex meta-characters, such as deeply nested groups or quantifiers. This manipulation causes the MongoDB regex engine to consume excessive CPU resources, potentially leading to a Denial of Service for other users.

Recommendations Versions prior to 2.3.3 should be updated to version 2.3.3 or later. Implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.