Isaacs Minimatch vulnerabilities
3 known vulnerabilities affecting isaacs/minimatch.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3
Vulnerabilities
Page 1 of 1
CVE-2026-27903HIGHCVSS 7.5v>= 10.0.0, < 10.2.3v>= 9.0.0, < 9.0.7+6 more2026-02-26
CVE-2026-27903 [HIGH] CWE-407 CVE-2026-27903: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objec
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The t
nvd
CVE-2026-27904HIGHCVSS 7.5v>= 10.0.0, < 10.2.3v>= 9.0.0, < 9.0.7+6 more2026-02-26
CVE-2026-27904 [HIGH] CWE-1333 CVE-2026-27904: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objec
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*
nvd
CVE-2026-26996HIGHCVSS 8.7fixed in 10.2.12026-02-20
CVE-2026-26996 [HIGH] CWE-1333 CVE-2026-26996: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objec
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate
nvd