cbcvebase.
CVE-2026-30837
published 2026-03-10

CVE-2026-30837: Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({…

PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.49%
38.7th percentile
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.

Affected

2 ranges
VendorProductVersion rangeFixed in
elysiajselysia< 1.4.261.4.26
elysiajselysia>= 0 < 1.4.261.4.26
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.