Cyber Posture

CVE-2026-21868

High

Published: 08 January 2026

Published
08 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0014 34.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21868 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Flagforge Flagforge. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

ReDoS in public API endpoint enables remote unauthenticated exploitation of a web app (T1190) resulting in application-layer resource exhaustion/DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input…

more

(the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.

Deeper analysisAI

CVE-2026-21868 is a Regular Expression Denial of Service (ReDoS) vulnerability (CWE-1333) affecting Flag Forge, a Capture The Flag (CTF) platform, in versions 2.3.2 and prior. The issue resides in the user profile API endpoint (/api/user/[username]), where the application dynamically constructs a regular expression using unescaped user input from the username parameter. This allows specially crafted input containing regex meta-characters, such as deeply nested groups or quantifiers, to trigger excessive CPU consumption in the MongoDB regex engine.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and lack of prerequisites. Any unauthenticated remote attacker can exploit it by sending a malicious request to the affected endpoint with a crafted username, causing significant resource exhaustion. This results in denial of service for other users of the platform as the server becomes unresponsive.

The vulnerability is fixed in Flag Forge version 2.3.3. As a workaround, operators can implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path. Additional details are available in the GitHub Security Advisory at https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx.

Details

CWE(s)
CWE-1333

Affected Products

flagforge
flagforge
2.0 — 2.3.3

CVEs Like This One

CVE-2026-33671Shared CWE-1333
CVE-2025-70030Shared CWE-1333
CVE-2026-28356Shared CWE-1333
CVE-2026-22178Shared CWE-1333
CVE-2026-1388Shared CWE-1333
CVE-2026-23897Shared CWE-1333
CVE-2026-4867Shared CWE-1333
CVE-2026-35213Shared CWE-1333
CVE-2026-23956Shared CWE-1333
CVE-2026-30837Shared CWE-1333

References