Vulnerabilities

CVE-2026-21868 - Flag Forge has ReDoS Vulnerability in User Profile Lookup API

2026-01-08 0 views admin
CVE-2026-21868 - Flag Forge has ReDoS Vulnerability in User Profile Lookup API

CVE ID : CVE-2026-21868 Published : Jan. 8, 2026, 12:26 a.m. | 4 minutes ago Description : Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

Published
Jan. 8, 2026
Affected Product: MongoDB
Impact: Denial of Service

Source: Telegram CVE Monitor

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2026-21868mongodb

More from Vulnerabilities

CVE-2025-13753 - WP Table Builder <= 2.0.19 - incorrect authorization to authenticated (subscribe

CVE-2025-13753 - WP Table Builder <= 2.0.19 - incorrect authorization to authenticated (subscribe

2026-01-09 0
CVE-2025-13628 - Tutor LMS – eLearning and online course solution <= 3.9.3 - missing authorizatio

CVE-2025-13628 - Tutor LMS – eLearning and online course solution <= 3.9.3 - missing authorizatio

2026-01-09 0
CVE-2025-69194 - Wget2: arbitrary file write via metalink path traversal in gnu wget2 - 2025 Update

CVE-2025-69194 - Wget2: arbitrary file write via metalink path traversal in gnu wget2 - 2025 Update

2026-01-09 0
CVE-2025-14937 - Frontend Admin by DynamiApps <= 3.28.23 - unauthenticated stored cross-site scri

CVE-2025-14937 - Frontend Admin by DynamiApps <= 3.28.23 - unauthenticated stored cross-site scri

2026-01-09 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views