What is CVE-2026-5986?

CVE-2026-5986 is a medium-severity vulnerability in Zod Jsvideourlparser, classified under Inefficient Regular Expression Complexity. CVSS score: 5.3/10. Published 2026-04-09.

How severe is CVE-2026-5986?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Resource exhaustion in Zod Jsvideourlparser

CVE-2026-5986

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It i…

Vulnerability class: ReDoS (Regular Expression Denial of Service)

EPSS: 0.001 (18.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R.

Affected products

Zod Jsvideourlparser — versions 0.5.0, 0.5.1

Weakness classification (CWE)

References

VDB-356540 | Zod jsVideoUrlParser util.js getTime redos (vdb-entry, technical-description)
VDB-356540 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
Submit #791911 | Zod- jsVideoUrlParser 0.1.3 to 0.5.1 Inefficient Regular Expression Complexity (third-party-advisory)
github.com/Zod-/jsVideoUrlParser/issues/121 (issue-tracking)
github.com/Zod-/jsVideoUrlParser/issues/121 (exploit, issue-tracking)

Frequently asked questions

What is CVE-2026-5986?: CVE-2026-5986 is a medium-severity vulnerability in Zod Jsvideourlparser, classified under Inefficient Regular Expression Complexity. CVSS score: 5.3/10. Published 2026-04-09.
How severe is CVE-2026-5986?: Medium severity. CVSS v3 base score is 5.3 out of 10.