PatchSiren cyber security CVE debrief
CVE-2026-4926 path-to-regexp CVE debrief
CVE-2026-4926 is a high-severity vulnerability in the Path-To-Regexp library. A bad regular expression is generated when multiple sequential optional groups are used, causing denial of service. The vulnerability has a CVSS score of 7.5 and was published on March 26, 2026. It was modified on June 30, 2026. The vulnerability affects versions prior to 8.4.0 and can be mitigated by limiting sequential optional groups in route patterns or upgrading to version 8.4.0 or later.
- Vendor
- path-to-regexp
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-26
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-26
- Advisory updated
- 2026-06-30
Who should care
Developers using the Path-To-Regexp library in their applications should be aware of this vulnerability. The vulnerability can be exploited via specially crafted route patterns, potentially leading to denial of service attacks. Users of affected versions should take steps to mitigate the vulnerability.
Technical summary
The vulnerability is caused by the generation of bad regular expressions when multiple sequential optional groups are used in route patterns. This can lead to exponentially growing regular expressions, causing denial of service attacks. The vulnerability has a CVSS score of 7.5 and is classified as high-severity. The affected library, Path-To-Regexp, is used in various applications and can be exploited via specially crafted route patterns.
Defensive priority
High priority should be given to mitigating this vulnerability, as it can be exploited via specially crafted route patterns, potentially leading to denial of service attacks. Developers should limit sequential optional groups in route patterns or upgrade to version 8.4.0 or later.
Recommended defensive actions
- Limit sequential optional groups in route patterns.
- Upgrade to version 8.4.0 or later of the Path-To-Regexp library.
- Review and update affected applications to ensure they are not vulnerable.
- Monitor for potential denial of service attacks.
- Implement compensating controls to mitigate potential impacts.
Evidence notes
The vulnerability was published on March 26, 2026, and modified on June 30, 2026. The CVSS score is 7.5, and it is classified as high-severity. The affected library, Path-To-Regexp, is used in various applications. The vulnerability can be mitigated by limiting sequential optional groups in route patterns or upgrading to version 8.4.0 or later.
Official resources
-
CVE-2026-4926 CVE record
CVE.org
-
CVE-2026-4926 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.