{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-4926","assignerOrgId":"ce714d77-add3-4f53-aff5-83d477b104bb","state":"PUBLISHED","assignerShortName":"openjs","dateReserved":"2026-03-26T18:36:49.229Z","datePublished":"2026-03-26T18:59:38.000Z","dateUpdated":"2026-07-17T12:04:37.430Z"},"containers":{"cna":{"providerMetadata":{"orgId":"ce714d77-add3-4f53-aff5-83d477b104bb","shortName":"openjs","dateUpdated":"2026-03-26T18:59:38.000Z"},"descriptions":[{"lang":"en","value":"Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.","supportingMedia":[{"type":"text/html","base64":false,"value":"Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns."}]}],"affected":[{"vendor":"path-to-regexp","product":"path-to-regexp","defaultStatus":"unaffected","versions":[{"versionType":"semver","status":"affected","version":"8.0.0","lessThan":"8.4.0"},{"versionType":"semver","status":"unaffected","version":"8.4.0"}],"packageURL":"pkg:npm/path-to-regexp"}],"references":[{"url":"https://cna.openjsf.org/security-advisories.html"}],"credits":[{"lang":"en","type":"reporter","value":"uug4na"},{"lang":"en","type":"remediation developer","value":"blakeembrey"},{"lang":"en","type":"remediation reviewer","value":"UlisesGascon"}],"title":"path-to-regexp vulnerable to Denial of Service via sequential optional groups","metrics":[{"format":"CVSS","cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"},"scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","lang":"en","description":"CWE-400: Uncontrolled Resource Consumption","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-1333","lang":"en","description":"CWE-1333: Inefficient Regular Expression Complexity","type":"CWE"}]}],"x_generator":{"engine":"cve-kit 1.0.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-27T19:44:44.790485Z","id":"CVE-2026-4926","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-27T19:44:53.294Z"}},{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:cryostat:4::el9"],"defaultStatus":"affected","packageName":"cryostat/cryostat-openshift-console-plugin-rhel9","product":"Cryostat 4 on RHEL 9","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"4.2.0-9","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el8"],"defaultStatus":"affected","packageName":"automation-gateway","product":"Red Hat Ansible Automation Platform 2.5 for RHEL 8","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:2.5.20260422-3.el8ap","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el9"],"defaultStatus":"affected","packageName":"automation-gateway","product":"Red Hat Ansible Automation Platform 2.5 for RHEL 9","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:2.5.20260422-3.el9ap","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el9"],"defaultStatus":"affected","packageName":"automation-platform-ui","product":"Red Hat Ansible Automation Platform 2.6 for RHEL 9","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:2.6.9-1.el9ap","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:migration_toolkit_virtualization:2.10::el9"],"defaultStatus":"affected","packageName":"migration-toolkit-virtualization/mtv-console-plugin-rhel9","product":"Migration Toolkit for Virtualization 2.1","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1779139872","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:migration_toolkit_virtualization:2.9::el9"],"defaultStatus":"affected","packageName":"migration-toolkit-virtualization/mtv-console-plugin-rhel9","product":"Migration Toolkit for Virtualization 2.9","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1778927462","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el9"],"defaultStatus":"affected","packageName":"ansible-automation-platform-tech-preview/mcp-server-rhel9","product":"Red Hat Ansible Automation Platform 2.6","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1777386606","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el9"],"defaultStatus":"affected","packageName":"ansible-automation-platform-26/gateway-rhel9","product":"Red Hat Ansible Automation Platform 2.6","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1779773804","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:rhdh:1.8::el9"],"defaultStatus":"affected","packageName":"rhdh/rhdh-hub-rhel9","product":"Red Hat Developer Hub 1.8","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1776784286","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:rhdh:1.9::el9"],"defaultStatus":"affected","packageName":"rhdh/rhdh-hub-rhel9","product":"Red Hat Developer Hub 1.9","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1777903262","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:edge_manager:1.0::el9"],"defaultStatus":"affected","packageName":"rhem/flightctl-ui-ocp-rhel9","product":"Red Hat Edge Manager 1.0","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1783502765","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:edge_manager:1.0::el9"],"defaultStatus":"affected","packageName":"rhem/flightctl-ui-rhel9","product":"Red Hat Edge Manager 1.0","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1783502438","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:edge_manager:1.1::el10"],"defaultStatus":"affected","packageName":"rhem/flightctl-ui-ocp-rhel10","product":"Red Hat Edge Manager 1.1","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1784194938","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:edge_manager:1.1::el10"],"defaultStatus":"affected","packageName":"rhem/flightctl-ui-rhel10","product":"Red Hat Edge Manager 1.1","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1784194574","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:edge_manager:1.1::el9"],"defaultStatus":"affected","packageName":"rhem/flightctl-ui-ocp-rhel9","product":"Red Hat Edge Manager 1.1","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1784126822","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:edge_manager:1.1::el9"],"defaultStatus":"affected","packageName":"rhem/flightctl-ui-rhel9","product":"Red Hat Edge Manager 1.1","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1784127736","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_devspaces:3.27::el9"],"defaultStatus":"affected","packageName":"devspaces/code-rhel9","product":"Red Hat OpenShift Dev Spaces 3.27","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1776744110","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_devspaces:3.27::el9"],"defaultStatus":"affected","packageName":"devspaces/jetbrains-ide-rhel9","product":"Red Hat OpenShift Dev Spaces 3.27","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1776795400","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"],"defaultStatus":"affected","packageName":"rhosdt/tempo-jaeger-query-rhel9","product":"Red Hat OpenShift distributed tracing 3.9.3","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1776435608","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:trusted_artifact_signer:1.3::el9"],"defaultStatus":"affected","packageName":"rhtas/rhtas-console-ui-rhel9","product":"Red Hat Trusted Artifact Signer 1.3","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1776673130","versionType":"rpm"},{"lessThan":"*","status":"unaffected","version":"1776889929","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:cryostat:4"],"defaultStatus":"unaffected","packageName":"io.cryostat-cryostat","product":"Cryostat 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:logging:5"],"defaultStatus":"affected","packageName":"openshift-logging/elasticsearch6-rhel9","product":"Logging Subsystem for Red Hat OpenShift","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:logging:5"],"defaultStatus":"affected","packageName":"openshift-logging/elasticsearch-operator-bundle","product":"Logging Subsystem for Red Hat OpenShift","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:logging:5"],"defaultStatus":"affected","packageName":"openshift-logging/elasticsearch-proxy-rhel9","product":"Logging Subsystem for Red Hat OpenShift","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:logging:5"],"defaultStatus":"affected","packageName":"openshift-logging/elasticsearch-rhel9-operator","product":"Logging Subsystem for Red Hat OpenShift","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:logging:5"],"defaultStatus":"affected","packageName":"openshift-logging/kibana6-rhel8","product":"Logging Subsystem for Red Hat OpenShift","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:logging:5"],"defaultStatus":"affected","packageName":"openshift-logging/logging-curator5-rhel9","product":"Logging Subsystem for Red Hat OpenShift","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:migration_toolkit_applications:8"],"defaultStatus":"affected","packageName":"mta/mta-ui-rhel9","product":"Migration Toolkit for Applications 8","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:multicluster_engine"],"defaultStatus":"affected","packageName":"multicluster-engine/console-mce-rhel9","product":"Multicluster Engine for Kubernetes","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:network_observ_optr:1"],"defaultStatus":"unaffected","packageName":"network-observability/network-observability-console-plugin-rhel9","product":"Network Observability Operator","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"unaffected","packageName":"openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"unaffected","packageName":"openshift-lightspeed/lightspeed-console-plugin-rhel9","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_pipelines:1"],"defaultStatus":"affected","packageName":"openshift-pipelines/pipelines-console-plugin-rhel9","product":"OpenShift Pipelines","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:service_mesh:2"],"defaultStatus":"unaffected","packageName":"openshift-service-mesh/kiali-ossmc-rhel8","product":"OpenShift Service Mesh 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:service_mesh:2"],"defaultStatus":"unaffected","packageName":"openshift-service-mesh/kiali-rhel8","product":"OpenShift Service Mesh 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:service_mesh:3"],"defaultStatus":"unaffected","packageName":"openshift-service-mesh/kiali-operator-bundle","product":"OpenShift Service Mesh 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:service_mesh:3"],"defaultStatus":"unaffected","packageName":"openshift-service-mesh/kiali-ossmc-rhel9","product":"OpenShift Service Mesh 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:service_mesh:3"],"defaultStatus":"unaffected","packageName":"openshift-service-mesh/kiali-rhel9","product":"OpenShift Service Mesh 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:service_mesh:3"],"defaultStatus":"unaffected","packageName":"openshift-service-mesh/kiali-rhel9-operator","product":"OpenShift Service Mesh 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:acm:2"],"defaultStatus":"affected","packageName":"rhacm2/console-rhel9","product":"Red Hat Advanced Cluster Management for Kubernetes 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:advanced_cluster_security:4"],"defaultStatus":"unaffected","packageName":"advanced-cluster-security/rhacs-main-rhel8","product":"Red Hat Advanced Cluster Security 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:amq_broker:7"],"defaultStatus":"affected","packageName":"amq7-tech-preview/amq-broker-jolokia-api-server-rhel9","product":"Red Hat AMQ Broker 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:amq_broker:7"],"defaultStatus":"unaffected","packageName":"org.jolokia-jolokia-parent","product":"Red Hat AMQ Broker 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"automation-controller","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unaffected","packageName":"automation-eda-controller","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:apache_camel_hawtio:4"],"defaultStatus":"unaffected","packageName":"io.hawt-project","product":"Red Hat build of Apache Camel - HawtIO 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:service_registry:2"],"defaultStatus":"unaffected","packageName":"io.apicurio-apicurio-registry","product":"Red Hat build of Apicurio Registry 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:podman_desktop:1"],"defaultStatus":"affected","packageName":"podman-desktop-macos-1-0","product":"Red Hat Build of Podman Desktop","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:podman_desktop:1"],"defaultStatus":"affected","packageName":"podman-desktop-windows-1-0","product":"Red Hat Build of Podman Desktop","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"affected","packageName":"org.infinispan-infinispan-console","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:rhdh:1"],"defaultStatus":"affected","packageName":"rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor","product":"Red Hat Developer Hub","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"unaffected","packageName":"linux-sgx","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","packageName":"mozjs60","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","packageName":"pcs","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","packageName":"gjs","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","packageName":"linux-sgx","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","packageName":"pcs","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","packageName":"io.apicurio-apicurito","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","packageName":"io.hawt-hawtio-online","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","packageName":"io.hawt-project","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","packageName":"io.syndesis-syndesis-parent","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:7"],"defaultStatus":"unaffected","packageName":"io.hawt-project","product":"Red Hat JBoss Enterprise Application Platform 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"unaffected","packageName":"io.hawt-project","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","packageName":"io.hawt-project","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","packageName":"org.keycloak-keycloak-parent","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-data-science-pipelines-argo-argoexec-rhel8","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-mlflow-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","packageName":"openshift4/ose-agent-installer-ui-rhel9","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","packageName":"openshift4/ose-console","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","packageName":"openshift4/ose-console-rhel9","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"affected","packageName":"openshift4/ose-monitoring-plugin-rhel8","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","packageName":"openshift4/ose-monitoring-plugin-rhel9","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"unaffected","packageName":"odf4/mcg-core-rhel9","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"affected","packageName":"odf4/ocs-client-console-rhel9","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"unaffected","packageName":"odf4/odf-console-rhel9","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"unaffected","packageName":"odf4/odf-multicluster-console-rhel9","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"affected","packageName":"openshift-gitops-1/argocd-rhel8","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"affected","packageName":"openshift-gitops-1/argocd-rhel9","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"affected","packageName":"openshift-gitops-1/console-plugin-rhel8","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:container_native_virtualization:4"],"defaultStatus":"unaffected","packageName":"container-native-virtualization/kubevirt-console-plugin","product":"Red Hat OpenShift Virtualization 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:container_native_virtualization:4"],"defaultStatus":"unaffected","packageName":"container-native-virtualization/kubevirt-console-plugin-rhel9","product":"Red Hat OpenShift Virtualization 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"],"defaultStatus":"unaffected","packageName":"org.kie-process-migration-service","product":"Red Hat Process Automation 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"],"defaultStatus":"unaffected","packageName":"org.uberfire-uberfire-parent","product":"Red Hat Process Automation 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:quay:3"],"defaultStatus":"unaffected","packageName":"quay/quay-rhel8","product":"Red Hat Quay 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"unaffected","packageName":"nodejs-react-router","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"unaffected","packageName":"nodejs-react-router-dom","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:red_hat_single_sign_on:7"],"defaultStatus":"affected","packageName":"org.keycloak-keycloak-parent","product":"Red Hat Single Sign-On 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:trusted_profile_analyzer:2"],"defaultStatus":"unaffected","packageName":"rhtpa/rhtpa-trustification-service-rhel9","product":"Red Hat Trusted Profile Analyzer","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_portal:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform/automation-portal","product":"Self-service automation portal 2","vendor":"Red Hat"}],"datePublic":"2026-03-26T18:59:38.000Z","descriptions":[{"lang":"en","value":"A flaw was found in path-to-regexp. A remote attacker could exploit this vulnerability by providing specially crafted input that generates a regular expression with multiple sequential optional groups. This leads to an exponential growth in the generated regular expression, causing a Denial of Service (DoS) due to excessive resource consumption."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1333","description":"Inefficient Regular Expression Complexity","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-4926"},{"name":"RHBZ#2451867","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451867"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4926.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24761"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24762"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:17789"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19409"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19410"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24866"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:13545"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:9742"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36651"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:40945"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:40118"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:9385"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10172"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10153"}],"solutions":[{"lang":"en","value":"RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"},{"lang":"en","value":"RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 9"},{"lang":"en","value":"RHSA-2026:17789: Cryostat 4 on RHEL 9"},{"lang":"en","value":"RHSA-2026:19409: Migration Toolkit for Virtualization 2.1"},{"lang":"en","value":"RHSA-2026:19410: Migration Toolkit for Virtualization 2.9"},{"lang":"en","value":"RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"},{"lang":"en","value":"RHSA-2026:13545: Red Hat Ansible Automation Platform 2.6"},{"lang":"en","value":"RHSA-2026:9742: Red Hat Developer Hub 1.8"},{"lang":"en","value":"RHSA-2026:13826: Red Hat Developer Hub 1.9"},{"lang":"en","value":"RHSA-2026:36651: Red Hat Edge Manager 1.0"},{"lang":"en","value":"RHSA-2026:40945: Red Hat Edge Manager 1.1"},{"lang":"en","value":"RHSA-2026:40118: Red Hat Edge Manager 1.1"},{"lang":"en","value":"RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27"},{"lang":"en","value":"RHSA-2026:9385: Red Hat OpenShift distributed tracing 3.9.3"},{"lang":"en","value":"RHSA-2026:10172: Red Hat Trusted Artifact Signer 1.3"},{"lang":"en","value":"RHSA-2026:10153: Red Hat Trusted Artifact Signer 1.3"}],"timeline":[{"lang":"en","time":"2026-03-26T20:03:28.427Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-26T18:59:38.000Z","value":"Made public."}],"title":"path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions","workarounds":[{"lang":"en","value":"To mitigate this vulnerability, limit the use of multiple sequential optional groups in route patterns within applications that use `path-to-regexp`. Additionally, avoid directly passing user-controlled input as route patterns to prevent the generation of maliciously crafted regular expressions."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-17T12:04:37.430Z"}}]}}