Skip to main content

CWE-1333

Inefficient Regular Expression Complexity (ReDoS)

278 CVEs Avg CVSS 6.9 MITRE
3
CRITICAL
169
HIGH
98
MEDIUM
7
LOW
111
POC
0
KEV

Monthly

CVE-2026-6850 MEDIUM This Month

Catastrophic regex backtracking in Mattermost's client-side markdown parser can be triggered by an authenticated user posting a specially crafted message attachment, causing a denial-of-service condition for every user rendering that channel. Affected builds span versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low exploitation complexity (AC:L, PR:L) lowers the bar for any authenticated insider or compromised account.

Denial Of Service Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57584 HIGH PATCH This Week

Regular-expression denial of service (ReDoS) in the Phalcon PHP framework before 5.15.0 lets remote unauthenticated attackers exhaust server CPU by sending a crafted request URI. Every default MVC application registers a built-in route whose compiled PCRE pattern contains a nested quantifier that Router::handle() evaluates against the raw request path on every request, so a path with repeated slashes followed by decoded newlines triggers catastrophic backtracking. There is no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.7 reflects a high availability impact with no confidentiality or integrity effect.

Denial Of Service PHP Cphalcon
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-59220 MEDIUM PATCH This Month

Regular expression denial of service in Open WebUI 0.9.2-0.9.x allows any authenticated user to block the Python asyncio event loop by sending a single malformed chat message. The SKILL_MENTION_RE and strip_re patterns in middleware.py use overlapping quantifiers when parsing skill-mention syntax, causing quadratic backtracking on input containing '<$' without a closing '>'. Because the event loop is synchronously blocked, the attack effectively takes the entire Open WebUI instance offline for all concurrent users. No public exploit code or active exploitation has been identified at time of analysis; the fix is confirmed in the v0.10.0 release.

Denial Of Service Open Webui
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15154 MEDIUM This Month

ReDoS vulnerability in the guardrails-detectors component of Red Hat OpenShift AI enables adjacent-network attackers to submit specially crafted regular expressions to the public detection API, triggering catastrophic backtracking that pins a worker process at 100% CPU indefinitely. The availability impact extends beyond the component itself - the entire guardrails-mediated LLM pipeline is rendered non-functional. No public exploit identified at time of analysis, but exploitation requires no authentication and trivial effort from an adjacent network position.

Red Hat Denial Of Service Openshift Ai
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14895 HIGH PATCH This Week

Regular-expression denial of service in the String::Util Perl module (versions before 1.36) lets remote unauthenticated attackers exhaust CPU by supplying a string with a long run of whitespace to the trim or rtrim functions. The vulnerable `s/\s*$//u` pattern backtracks quadratically over whitespace runs, so any application feeding untrusted input through these helpers is exposed. No public exploit code has been identified; EPSS is low (0.19%, 9th percentile) and the flaw is not on CISA KEV, indicating no observed active exploitation.

Denial Of Service String
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55574 PyPI HIGH PATCH This Week

Denial of service in vLLM inference servers prior to 0.24.0 allows remote unauthenticated attackers to hang an inference worker indefinitely by submitting a single request with an adversarial regular expression via the structured_outputs.regex API parameter. The pattern is passed to grammar compiler backends (xgrammar with no guard, outlines with structural-but-not-complexity validation) where nested quantifiers trigger exponential state-space expansion (ReDoS). No public exploit identified at time of analysis, though the trivial request-based trigger makes weaponization straightforward.

Denial Of Service Vllm
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-52746 npm HIGH PATCH GHSA This Week

Denial of service in the JSONata JavaScript query/transformation library (npm 'jsonata') before 2.2.0 allows remote attackers to hang the event loop by supplying crafted, non-matching date strings to the $toMillis function, whose ISO-8601 validation regex is vulnerable to superlinear (catastrophic) backtracking. Any application that evaluates user-provided JSONata expressions or feeds attacker-controlled data into $toMillis is exposed. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but EPSS/exploitation likelihood aside, the CVSS 7.5 (A:H) reflects a clean availability-only impact.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
CVE-2026-58578 HIGH POC PATCH This Week

Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. Publicly available exploit code exists and a vendor patch is available, though there is no public exploit identified as being used in active exploitation.

Node.js Denial Of Service Lobehub
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-48801 npm HIGH POC PATCH GHSA This Week

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation.

Apple Node.js Mattermost Denial Of Service Gitlab
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-52794 HIGH PATCH This Week

Denial of service in Sentry's self-hosted/SaaS event ingestion pipeline (versions 24.4.0 through 26.5.1) lets remote actors who can submit events stall worker CPU via a Regular Expression Denial of Service (ReDoS). A loosely-written hostname-detection regex in the grouping parameterization stage (parameterization.py) backtracks catastrophically on crafted attacker-controlled event fields, exhausting CPU and degrading or halting event processing. No public exploit identified at time of analysis and it is not in CISA KEV, but the fix (26.5.2) and the triggering regex are publicly disclosed in the GitHub advisory and PR #116587, lowering the bar to reproduce.

Denial Of Service Sentry
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 6.5
MEDIUM This Month

Catastrophic regex backtracking in Mattermost's client-side markdown parser can be triggered by an authenticated user posting a specially crafted message attachment, causing a denial-of-service condition for every user rendering that channel. Affected builds span versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low exploitation complexity (AC:L, PR:L) lowers the bar for any authenticated insider or compromised account.

Denial Of Service Mattermost
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Regular-expression denial of service (ReDoS) in the Phalcon PHP framework before 5.15.0 lets remote unauthenticated attackers exhaust server CPU by sending a crafted request URI. Every default MVC application registers a built-in route whose compiled PCRE pattern contains a nested quantifier that Router::handle() evaluates against the raw request path on every request, so a path with repeated slashes followed by decoded newlines triggers catastrophic backtracking. There is no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.7 reflects a high availability impact with no confidentiality or integrity effect.

Denial Of Service PHP Cphalcon
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Regular expression denial of service in Open WebUI 0.9.2-0.9.x allows any authenticated user to block the Python asyncio event loop by sending a single malformed chat message. The SKILL_MENTION_RE and strip_re patterns in middleware.py use overlapping quantifiers when parsing skill-mention syntax, causing quadratic backtracking on input containing '<$' without a closing '>'. Because the event loop is synchronously blocked, the attack effectively takes the entire Open WebUI instance offline for all concurrent users. No public exploit code or active exploitation has been identified at time of analysis; the fix is confirmed in the v0.10.0 release.

Denial Of Service Open Webui
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

ReDoS vulnerability in the guardrails-detectors component of Red Hat OpenShift AI enables adjacent-network attackers to submit specially crafted regular expressions to the public detection API, triggering catastrophic backtracking that pins a worker process at 100% CPU indefinitely. The availability impact extends beyond the component itself - the entire guardrails-mediated LLM pipeline is rendered non-functional. No public exploit identified at time of analysis, but exploitation requires no authentication and trivial effort from an adjacent network position.

Red Hat Denial Of Service Openshift Ai
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Regular-expression denial of service in the String::Util Perl module (versions before 1.36) lets remote unauthenticated attackers exhaust CPU by supplying a string with a long run of whitespace to the trim or rtrim functions. The vulnerable `s/\s*$//u` pattern backtracks quadratically over whitespace runs, so any application feeding untrusted input through these helpers is exposed. No public exploit code has been identified; EPSS is low (0.19%, 9th percentile) and the flaw is not on CISA KEV, indicating no observed active exploitation.

Denial Of Service String
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in vLLM inference servers prior to 0.24.0 allows remote unauthenticated attackers to hang an inference worker indefinitely by submitting a single request with an adversarial regular expression via the structured_outputs.regex API parameter. The pattern is passed to grammar compiler backends (xgrammar with no guard, outlines with structural-but-not-complexity validation) where nested quantifiers trigger exponential state-space expansion (ReDoS). No public exploit identified at time of analysis, though the trivial request-based trigger makes weaponization straightforward.

Denial Of Service Vllm
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Denial of service in the JSONata JavaScript query/transformation library (npm 'jsonata') before 2.2.0 allows remote attackers to hang the event loop by supplying crafted, non-matching date strings to the $toMillis function, whose ISO-8601 validation regex is vulnerable to superlinear (catastrophic) backtracking. Any application that evaluates user-provided JSONata expressions or feeds attacker-controlled data into $toMillis is exposed. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but EPSS/exploitation likelihood aside, the CVSS 7.5 (A:H) reflects a clean availability-only impact.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. Publicly available exploit code exists and a vendor patch is available, though there is no public exploit identified as being used in active exploitation.

Node.js Denial Of Service Lobehub
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation.

Apple Node.js Mattermost +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Sentry's self-hosted/SaaS event ingestion pipeline (versions 24.4.0 through 26.5.1) lets remote actors who can submit events stall worker CPU via a Regular Expression Denial of Service (ReDoS). A loosely-written hostname-detection regex in the grouping parameterization stage (parameterization.py) backtracks catastrophically on crafted attacker-controlled event fields, exhausting CPU and degrading or halting event processing. No public exploit identified at time of analysis and it is not in CISA KEV, but the fix (26.5.2) and the triggering regex are publicly disclosed in the GitHub advisory and PR #116587, lowering the bar to reproduce.

Denial Of Service Sentry
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy