CVE-2026-4926 — Vulnetix

CVE-2026-4926 PUBLISHED CVSS 7.5 HIGH

path-to-regexp vulnerable to Denial of Service via sequential optional groups

EPSS 0.02% · 5.2th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.02%

5.2th percentile

Affected Products

Vendor	Product	Versions
npm	path-to-regexp	8.0.0, 8.0.0, 8.0.0
pillarjs	path-to-regexp	8.0.0
path-to-regexp	path-to-regexp	8.0.0, 8.4.0, 8.0.0

Timeline

Mar 26, 2026 PoC Published
Mar 26, 2026 CVE Published
Mar 26, 2026 PoC Published
Mar 26, 2026 PoC Published
Mar 26, 2026 PoC Published
Mar 27, 2026 EPSS Score
Mar 27, 2026 Coalition ESS Score
Mar 27, 2026 CVE Updated
Mar 28, 2026 Security Advisory
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score

References

https://cna.openjsf.org/security-advisories.html url
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f url
https://nvd.nist.gov/vuln/detail/CVE-2026-4926 advisory
https://github.com/pillarjs/path-to-regexp package
https://www.ibm.com/support/pages/node/7274185 advisory
https://www.ibm.com/support/pages/node/7274154 advisory
https://www.ibm.com/support/pages/node/7274180 advisory
https://www.ibm.com/support/pages/node/7274183 advisory
https://www.ibm.com/support/pages/node/7273957 advisory
https://www.ibm.com/support/pages/node/7274184 advisory
https://www.ibm.com/support/pages/node/7274314 advisory
https://www.ibm.com/support/pages/node/7274182 advisory
https://www.ibm.com/support/pages/node/7274181 advisory
https://www.ibm.com/support/pages/node/7273803 advisory
https://www.ibm.com/support/pages/node/7272901 advisory

Open in Interactive Console →

$ Console Community · 100/wk Open console ›