PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4926 path-to-regexp CVE debrief

CVE-2026-4926 is a high-severity vulnerability in the Path-To-Regexp library. A bad regular expression is generated when multiple sequential optional groups are used, causing denial of service. The vulnerability has a CVSS score of 7.5 and was published on March 26, 2026. It was modified on June 30, 2026. The vulnerability affects versions prior to 8.4.0 and can be mitigated by limiting sequential optional groups in route patterns or upgrading to version 8.4.0 or later.

Vendor
path-to-regexp
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-26
Original CVE updated
2026-06-30
Advisory published
2026-03-26
Advisory updated
2026-06-30

Who should care

Developers using the Path-To-Regexp library in their applications should be aware of this vulnerability. The vulnerability can be exploited via specially crafted route patterns, potentially leading to denial of service attacks. Users of affected versions should take steps to mitigate the vulnerability.

Technical summary

The vulnerability is caused by the generation of bad regular expressions when multiple sequential optional groups are used in route patterns. This can lead to exponentially growing regular expressions, causing denial of service attacks. The vulnerability has a CVSS score of 7.5 and is classified as high-severity. The affected library, Path-To-Regexp, is used in various applications and can be exploited via specially crafted route patterns.

Defensive priority

High priority should be given to mitigating this vulnerability, as it can be exploited via specially crafted route patterns, potentially leading to denial of service attacks. Developers should limit sequential optional groups in route patterns or upgrade to version 8.4.0 or later.

Recommended defensive actions

  • Limit sequential optional groups in route patterns.
  • Upgrade to version 8.4.0 or later of the Path-To-Regexp library.
  • Review and update affected applications to ensure they are not vulnerable.
  • Monitor for potential denial of service attacks.
  • Implement compensating controls to mitigate potential impacts.

Evidence notes

The vulnerability was published on March 26, 2026, and modified on June 30, 2026. The CVSS score is 7.5, and it is classified as high-severity. The affected library, Path-To-Regexp, is used in various applications. The vulnerability can be mitigated by limiting sequential optional groups in route patterns or upgrading to version 8.4.0 or later.

Official resources

This article is AI-assisted and based on the supplied source corpus.