Description
The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Extended Description
Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.
CVE vulnerabilities with CWE-624 (2)
9.2
CVSS
CRITICAL
CVE-2026-25237
pub. 2026-02-03
7.5
CVSS
HIGH
CVE-2024-41655
pub. 2024-07-23