CVEbaza.plCWE DictionaryCWE-777
Common Weakness Enumeration

CWE-777

Regular Expression without Anchors

Category: VariantCVE: 3
Description

The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.

Extended Description

When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression.

CVE vulnerabilities with CWE-777 (3)
7.6
CVSS
HIGH
CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.

pub. 2026-05-05
6.9
CVSS
MEDIUM
CVE-2026-56021

Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.

pub. 2026-06-18
6.4
CVSS
MEDIUM
CVE-2026-39087

ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs.

pub. 2026-04-23
Information
ID: CWE-777
Type: Variant
Vulnerabilities: 3
MITRE CWE ↗
← CWE Dictionary