Micromatch Picomatch vulnerabilities
2 known vulnerabilities affecting micromatch/picomatch.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-33671HIGHCVSS 7.5v>= 4.0.0, < 4.0.4v>= 3.0.0, < 3.0.2+1 more2026-03-26
CVE-2026-33671 [HIGH] CWE-1333 CVE-2026-33671: Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulner
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled i
ghsanvdosv
CVE-2026-33672MEDIUMCVSS 5.3v>= 4.0.0, < 4.0.4v>= 3.0.0, < 3.0.2+1 more2026-03-26
CVE-2026-33672 [MEDIUM] CWE-1321 CVE-2026-33672: Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulner
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. The
ghsanvdosv