CVEs classified under CWE-185, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (28)
CVE-2024-52289 — CVSS 9.8 (critical): authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no…
CVE-2019-12798 — CVSS 9.8 (critical): An issue was discovered in Artifex MuJS 1.0.5. regcompx in regexp.c does not restrict regular expression program size, leading to an…
CVE-2026-25896 — CVSS 9.3 (critical): fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no…
CVE-2026-4296 — CVSS 8.8 (high): An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect…
CVE-2018-17984 — CVSS 7.8 (high): An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code…
CVE-2026-33418 — CVSS 7.5 (high): DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the `ensureSize()` function in `@dicebear/converter`…
CVE-2025-20139 — CVSS 7.5 (high): A vulnerability in chat messaging features of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to…
CVE-2019-14993 — CVSS 7.5 (high): Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the…
CVE-2018-20801 — CVSS 7.5 (high): In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a…
CVE-2018-11615 — CVSS 7.5 (high): This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. Authentication is not required…
CVE-2018-7158 — CVSS 7.5 (high): The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in…
CVE-2026-48147 — CVSS 6.5 (medium): Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/mi…
CVE-2026-25542 — CVSS 6.5 (medium): Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions…
CVE-2026-25479 — CVSS 6.5 (medium): Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist…
CVE-2020-7929 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex…
CVE-2020-1741 — CVSS 5.9 (medium): A flaw was found in openshift-ansible. OpenShift Container Platform (OCP) 3.11 is too permissive in the way it specified CORS allowed…
CVE-2026-39350 — CVSS 5.4 (medium): Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0…
CVE-2026-56021 — CVSS 5.3 (medium): Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable…
CVE-2026-47674 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware…
CVE-2026-3419 — CVSS 5.3 (medium): Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC…
CVE-2021-36093 — CVSS 5.3 (medium): It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG…
CVE-2018-20164 — CVSS 5.3 (medium): An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS)…
CVE-2018-7537 — CVSS 5.3 (medium): An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars()…
CVE-2018-7536 — CVSS 5.3 (medium): An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was…
CVE-2026-24398 — CVSS 4.8 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in…
CVE-2026-27895 — CVSS 4.3 (medium): LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to…