CVE-2026-21868
CVE-2026-21868 is a high-severity vulnerability in Flagforge with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1333.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 0% (18th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-1664
- Weakness: CWE-1333
- Affected product: Flagforge
- Published:
- Last modified:
Description
Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.
Frequently asked questions
- What is CVE-2026-21868?
- Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.
- How severe is CVE-2026-21868?
- CVE-2026-21868 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-21868 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (18th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-21868?
- CVE-2026-21868 affects Flagforge. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-21868?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-21868 have an EU (EUVD) identifier?
- Yes. CVE-2026-21868 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-1664.
- When was CVE-2026-21868 published?
- CVE-2026-21868 was published on 2026-01-08 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:flagforge:flagforge:*:*:*:*:*:*:*:*
More vulnerabilities in Flagforge
- CVE-2025-59841 — Critical (CVSS 9.8): Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application…
- CVE-2025-59827 — Critical (CVSS 9.8): Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper…
- CVE-2025-61777 — Critical (CVSS 9.4): Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the…
- CVE-2025-59932 — High (CVSS 8.6): Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint…
- CVE-2025-59826 — High (CVSS 7.6): Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, non-admin users can create arbitrary challenges,…
- CVE-2025-59833 — High (CVSS 7.5): Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET…
All CVEs affecting Flagforge →
Other CWE-1333 vulnerabilities
- CVE-2026-35458 — Critical (CVSS 9.8): Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile…
- CVE-2023-29486 — Critical (CVSS 9.8): An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass…
- CVE-2026-25547 — Critical (CVSS 9.2): @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1,…
- CVE-2023-29487 — Critical (CVSS 9.1): An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS,…
- CVE-2026-47138 — High (CVSS 8.7): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to…
- CVE-2025-6998 — High (CVSS 8.7): ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated…