Cyber Resilience

CVE-2026-4926

HighDDoS

Published: 26 March 2026

Published
26 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4926 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Pillarjs Path-To-Regexp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4926 is a denial-of-service vulnerability in a routing component that generates regular expressions from route patterns. The issue arises when multiple sequential optional groups using curly brace syntax are present, such as `{a}{b}{c}:z`. This causes the generated regex to grow exponentially with the number of groups, leading to excessive resource consumption. The vulnerability is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability with low complexity and no user interaction by supplying a malicious route pattern containing many sequential optional groups. Successful exploitation results in denial of service through resource exhaustion, impacting availability but not confidentiality or integrity.

The vulnerability is fixed in version 8.4.0. Advisories recommend workarounds such as limiting the number of sequential optional groups in route patterns and avoiding the use of user-controlled input as route patterns. Additional details are available at https://cna.openjsf.org/security-advisories.html.

EU & UK References

Vulnerability details

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0.…

more

Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The ReDoS vulnerability (exponential regex from crafted route patterns) directly enables remote resource exhaustion on a server-side routing component, mapping to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4867Same product: Pillarjs Path-To-Regexp
CVE-2026-8159Same vendor: Pillarjs
CVE-2026-8161Same vendor: Pillarjs
CVE-2026-8162Same vendor: Pillarjs
CVE-2025-69873Shared CWE-1333, CWE-400
CVE-2026-39320Shared CWE-1333, CWE-400
CVE-2026-24001Shared CWE-1333, CWE-400
CVE-2024-56921Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2024-33618Shared CWE-400

Affected Assets

pillarjs
path-to-regexp
8.0.0 — 8.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching to version 8.4.0, which fixes the exponential growth in generated regex from sequential optional groups.

prevent

Prevents exploitation by validating route patterns to reject malicious inputs containing multiple sequential optional curly brace groups that cause regex explosion.

preventdetect

Protects against the denial-of-service impact through mechanisms that detect and limit resource exhaustion from processing vulnerable route patterns.

References