VYPR

Picomatch

by Jonschlinkert

npm: picomatch

Source repositories

CVEs (2)

  • CVE-2026-33671HigMar 26, 2026
    risk 0.42cvss 7.5epss 0.00

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when…

  • CVE-2026-33672MedMar 26, 2026
    risk 0.27cvss 5.3epss 0.00

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket…