CVE-2026-4923
CVE-2026-4923 is a medium-severity vulnerability in Pillarjs Path-to-regexp with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1333.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 0% (27th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-16322
- Weakness: CWE-1333
- Affected product: Pillarjs Path-to-regexp
- Published:
- Last modified:
Description
Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
Frequently asked questions
- What is CVE-2026-4923?
- Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
- How severe is CVE-2026-4923?
- CVE-2026-4923 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-4923 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (27th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-4923?
- CVE-2026-4923 affects Pillarjs Path-to-regexp. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-4923?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-4923 have an EU (EUVD) identifier?
- Yes. CVE-2026-4923 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-16322.
- When was CVE-2026-4923 published?
- CVE-2026-4923 was published on 2026-03-26 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:pillarjs:path-to-regexp:*:*:*:*:*:node.js:*:*
More vulnerabilities in Pillarjs Path-to-regexp
- CVE-2026-4926 — High (CVSS 7.5): Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace…
- CVE-2026-4867 — High (CVSS 7.5): Impact: A bad regular expression is generated any time you have three or more parameters within a single segment,…
All CVEs affecting Pillarjs Path-to-regexp →
Other CWE-1333 vulnerabilities
- CVE-2026-35458 — Critical (CVSS 9.8): Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile…
- CVE-2023-29486 — Critical (CVSS 9.8): An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass…
- CVE-2026-25547 — Critical (CVSS 9.2): @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1,…
- CVE-2023-29487 — Critical (CVSS 9.1): An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS,…
- CVE-2026-47138 — High (CVSS 8.7): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to…
- CVE-2025-6998 — High (CVSS 8.7): ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated…