PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41040 GROWI, Inc. CVE debrief

GROWI, an open-source wiki platform developed by GROWI, Inc., is affected by a regular expression denial of service (ReDoS) vulnerability. The flaw stems from improper handling of crafted input strings that can trigger catastrophic backtracking in vulnerable regex patterns, leading to resource exhaustion and service unavailability. The vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity). The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high availability impact. The CVE was published on April 23, 2026, with a subsequent modification on May 19, 2026. The vulnerability status is currently marked as 'Deferred' in the NVD. Vendor advisories have been issued through GROWI's official channels and JPCERT/CC.

Vendor
GROWI, Inc.
Product
GROWI
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-05-19
Advisory published
2026-04-23
Advisory updated
2026-05-19

Who should care

Organizations running GROWI wiki instances, particularly those with public-facing deployments or untrusted user input channels. System administrators responsible for wiki platform availability and security teams managing ReDoS attack surface in Node.js/JavaScript applications.

Technical summary

The vulnerability exists in GROWI's handling of user-supplied input processed through regular expressions. Attackers can submit specially crafted strings containing nested quantifiers or alternating patterns that cause exponential execution time in the regex engine. This ReDoS condition results in CPU exhaustion, blocking legitimate requests and potentially causing complete service unavailability. The network-accessible nature of the attack (AV:N) with no authentication requirements (PR:N) makes this easily exploitable. The high availability impact (VA:H) reflects the denial-of-service outcome. No confidentiality or integrity impacts are indicated in the CVSS vector.

Defensive priority

HIGH

Recommended defensive actions

  • Review GROWI official security advisory for affected versions and patch availability
  • Audit custom regex patterns in GROWI deployments for ReDoS-prone constructs
  • Implement input validation and length restrictions as temporary mitigations
  • Monitor JPCERT/CC advisory for additional technical details
  • Apply vendor patches immediately upon release
  • Consider Web Application Firewall (WAF) rules to filter malicious regex-triggering payloads

Evidence notes

CVE description confirms ReDoS attack vector via crafted input. CVSS 4.0 scoring (AV:N/AC:L/AT:N/PR:N/UI:N/VA:H) supports high severity classification. CWE-1333 designation aligns with regex complexity issues. Vendor references from GROWI and JPCERT/CC provide authoritative source confirmation. NVD status 'Deferred' indicates ongoing analysis.

Official resources

2026-04-23T07:16:41.070Z