CVE-2026-4926

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions path-to-regexp versions prior to 8.4.0

Description A flawed regular expression is created when multiple sequential optional groups (using curly brace syntax) are present, such as {a}{b}{c}:z. The resulting regular expression expands exponentially with the number of groups, potentially leading to a denial of service. Avoid passing user-controlled input as route patterns.

Recommendations Versions prior to 8.4.0 should be updated to version 8.4.0 or later. Limit the number of sequential optional groups in route patterns.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-1333

Related Identifiers

CLEANSTART-2026-AD27625

CLEANSTART-2026-BE61221

CLEANSTART-2026-IS05941

CLEANSTART-2026-KS09647

CLEANSTART-2026-TW25027

CLEANSTART-2026-TZ34913

CVE-2026-4926

GHSA-J3Q9-MXJG-W52F

Affected Products

Path-To-Regexp

CVE-2026-4926

Weakness Enumeration

Related Identifiers

Affected Products

References · 267