CWE-1333(Inefficient Regular Expression Complexity)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
CWE カタログからの補足説明(MITRE XHTML を基に表示)。
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-52778 | 2026-06-08 | YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to san… |
| CVE-2026-11478 | 2026-06-08 | A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This ma… |
| CVE-2026-45409 | 2026-06-05 | Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior… |
| CVE-2026-8888 | 2026-06-03 | Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An… |
| CVE-2026-10692 | 2026-06-03 | A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argume… |
| CVE-2026-10691 | 2026-06-03 | A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a man… |
| CVE-2026-10291 | 2026-06-01 | A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the com… |
| CVE-2026-44796 | 2026-05-28 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to ap… |
| CVE-2026-9496 | 2026-05-26 | Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpe… |
| CVE-2026-44425 | 2026-05-13 | ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query pa… |
| CVE-2026-8159 | 2026-05-12 | [email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long… |
| CVE-2026-33079 | 2026-05-06 | In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to ca… |
| CVE-2026-41040 | 2026-04-23 | GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string. |
| CVE-2026-39320 | 2026-04-21 | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within t… |
| CVE-2026-40319 | 2026-04-17 | Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the RegexMatching check passes a user-supplied regular expression pattern directly to Python's re.search() with… |
| CVE-2026-5986 | 2026-04-09 | A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes ineffici… |
| CVE-2026-35041 | 2026-04-09 | fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular … |
| CVE-2026-35611 | 2026-04-07 | Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two c… |
| CVE-2026-35458 | 2026-04-07 | Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access t… |
| CVE-2026-35213 | 2026-04-06 | @hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three … |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2021-07-20 | CWE Content Team | 4.5 | — | updated References |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Description |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Observed_Examples, Potential_Mitigations |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Observed_Examples, Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Demonstrative_Examples, Observed_Examples |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Detection_Factors, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Background_Details, Common_Consequences, Description, Diagram, Modes_of_Introduction |