CWE-185 · Incorrect Regular Expression
27 CVEs classified under CWE-185 (Incorrect Regular Expression). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2015-8389 | Critical | 9.8 | 2015-12-02 | PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) o… |
CVE-2026-25896 | Critical | 9.3 | 2026-02-20 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to b… |
CVE-2026-4296 | High | 8.8 | 2026-04-21 | An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An a… |
CVE-2020-3408 | High | 8.6 | 2020-09-24 | A vulnerability in the Split DNS feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected d… |
CVE-2024-2223 | High | 8.1 | 2024-04-09 | An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigur… |
CVE-2026-33418 | High | 7.5 | 2026-03-24 | DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the `ensureSize()` function in `@dicebear/converter` used a regex-based app… |
CVE-2025-20139 | High | 7.5 | 2025-04-02 | A vulnerability in chat messaging features of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to cause a denial of servic… |
CVE-2026-48147 | Medium | 6.5 | 2026-05-27 | Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.t… |
CVE-2026-25542 | Medium | 6.5 | 2026-04-21 | Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2… |
CVE-2026-25479 | Medium | 6.5 | 2026-02-09 | Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled in… |
CVE-2020-7929 | Medium | 6.5 | 2021-03-01 | A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects Mong… |
CVE-2020-11034 | Medium | 6.1 | 2020-05-05 | In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in ve… |
CVE-2020-1741 | Medium | 5.9 | 2020-04-24 | A flaw was found in openshift-ansible. OpenShift Container Platform (OCP) 3.11 is too permissive in the way it specified CORS allowed origins during installati… |
CVE-2026-39350 | Medium | 5.4 | 2026-04-15 | Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the servi… |
CVE-2026-47674 | Medium | 5.3 | 2026-05-28 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) com… |
CVE-2026-3419 | Medium | 5.3 | 2026-03-06 | Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://ht… |
CVE-2024-6641 | Medium | 5.3 | 2024-09-18 | The WP Hardening – Fix Your WordPress Security plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 1.2.6. This… |
CVE-2021-36093 | Medium | 5.3 | 2021-09-06 | It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Ed… |
CVE-2026-24398 | Medium | 4.8 | 2026-01-27 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable… |
CVE-2026-27895 | Medium | 4.3 | 2026-03-17 | LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF… |