Skip to main content

Brace Expansion

1 CVEs product

Monthly

CVE-2026-13149 HIGH PATCH This Week

{}' brace groups to the expand() function, whose recursion is exponential in the number of such groups. Because brace-expansion is a near-ubiquitous transitive dependency (notably via minimatch/glob), any application that feeds untrusted input to expand() directly or indirectly is exposed. No public exploit was identified at time of analysis, though the CVSS 4.0 threat metric (E:P) indicates proof-of-concept maturity; the issue is not in CISA KEV.

Denial Of Service Brace Expansion Red Hat Suse
NVD GitHub
CVSS 4.0
7.7
EPSS
0.4%
EPSS 0% CVSS 7.7
HIGH PATCH This Week

{}' brace groups to the expand() function, whose recursion is exponential in the number of such groups. Because brace-expansion is a near-ubiquitous transitive dependency (notably via minimatch/glob), any application that feeds untrusted input to expand() directly or indirectly is exposed. No public exploit was identified at time of analysis, though the CVSS 4.0 threat metric (E:P) indicates proof-of-concept maturity; the issue is not in CISA KEV.

Denial Of Service Brace Expansion Red Hat +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy