CVE-2026-4923

CVE-2026-4923 is a medium-severity vulnerability in Pillarjs Path-to-regexp with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1333.

Key facts

Description

Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

Frequently asked questions

What is CVE-2026-4923?
Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
How severe is CVE-2026-4923?
CVE-2026-4923 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2026-4923 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (27th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-4923?
CVE-2026-4923 affects Pillarjs Path-to-regexp. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-4923?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-4923 have an EU (EUVD) identifier?
Yes. CVE-2026-4923 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-16322.
When was CVE-2026-4923 published?
CVE-2026-4923 was published on 2026-03-26 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Pillarjs Path-to-regexp

All CVEs affecting Pillarjs Path-to-regexp →

Other CWE-1333 vulnerabilities

Browse all CWE-1333 vulnerabilities →