High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Apr 16, 2026
CVE-2026-4926
CVE-2026-4926
Description
Impact:
A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.
Patches:
Fixed in version 8.4.0.
Workarounds:
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-to-regexpnpm | >= 8.0.0, < 8.4.0 | 8.4.0 |
Affected products
29- osv-coords28 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/gemini-clipkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/redisinsightpkg:apk/chainguard/safpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/chainguard/wazuh-dashboardpkg:apk/wolfi/code-serverpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/safpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-web-uipkg:apk/wolfi/tileserver-glpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/path-to-regexp
< 4.112.0-r2+ 27 more
- (no CPE)range: < 4.112.0-r2
- (no CPE)range: < 0.35.3-r0
- (no CPE)range: < 9.1.10-r12
- (no CPE)range: < 9.1.10-r12
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 2.19.5-r6
- (no CPE)range: < 2.19.5-r5
- (no CPE)range: < 3.2.0-r4
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 22.0.4-r9
- (no CPE)range: < 23.0.3-r12
- (no CPE)range: < 4.14.4-r1
- (no CPE)range: < 4.112.0-r2
- (no CPE)range: < 2.19.5-r6
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 22.0.4-r9
- (no CPE)range: < 23.0.3-r12
- (no CPE)range: >= 8.0.0, < 8.4.0
Patches
Vulnerability mechanics
References
4- cna.openjsf.org/security-advisories.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-j3q9-mxjg-w52fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4926ghsaADVISORY
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52fghsaWEB
News mentions
0No linked articles in our index yet.