CVE-2026-21868

EPSS 0.06%
Veröffentlicht 08.01.2026 00:26:46
Zuletzt bearbeitet 20.01.2026 18:47:56
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Flagforge ≫ Flagforge Version >= 2.0 < 2.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.187

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-21868

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-21868

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-21868

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-21868