CVE-2026-4926

High

Published: 26 March 2026

Published

26 March 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 17.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4926 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Pillarjs Path-To-Regexp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching to version 8.4.0, which fixes the exponential growth in generated regex from sequential optional groups.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by validating route patterns to reject malicious inputs containing multiple sequential optional curly brace groups that cause regex explosion.

SC-5 Denial-of-service Protection good match

preventdetect

Protects against the denial-of-service impact through mechanisms that detect and limit resource exhaustion from processing vulnerable route patterns.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The ReDoS vulnerability (exponential regex from crafted route patterns) directly enables remote resource exhaustion on a server-side routing component, mapping to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0.…

Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Deeper analysisAI

CVE-2026-4926 is a denial-of-service vulnerability in a routing component that generates regular expressions from route patterns. The issue arises when multiple sequential optional groups using curly brace syntax are present, such as `{a}{b}{c}:z`. This causes the generated regex to grow exponentially with the number of groups, leading to excessive resource consumption. The vulnerability is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability with low complexity and no user interaction by supplying a malicious route pattern containing many sequential optional groups. Successful exploitation results in denial of service through resource exhaustion, impacting availability but not confidentiality or integrity.

The vulnerability is fixed in version 8.4.0. Advisories recommend workarounds such as limiting the number of sequential optional groups in route patterns and avoiding the use of user-controlled input as route patterns. Additional details are available at https://cna.openjsf.org/security-advisories.html.