CVEbaza.plSłownik CWECWE-777
Common Weakness Enumeration

CWE-777

Regular Expression without Anchors

Kategoria: VariantCVE: 3
Opis

Produkt wykorzystuje wyrażenie regularne do neutralizacji zagrożeń, jednak wyrażenie nie posiada kotwic i może pozwolić złośliwym lub zniekształconym danym na przejście przez filtr. Ta luka w zabezpieczeniach umożliwia atakującemu obejść mechanizmy walidacji i ochrony danych.

Description (EN)

The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.

Podatności CVE z CWE-777 (3)
7.6
CVSS
HIGH
CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.

pub. 2026-05-05
6.9
CVSS
MEDIUM
CVE-2026-56021

Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.

pub. 2026-06-18
6.4
CVSS
MEDIUM
CVE-2026-39087

ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs.

pub. 2026-04-23
Informacje
ID: CWE-777
Typ: Variant
Podatności: 3
MITRE CWE ↗
← Słownik CWE
CWE-777 — Wyrażenie regularne bez kotwic | Słownik CWE | CVEbaza.pl