CVE-2026-27903 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: February 27, 2026
minimatch - Denial of Service
Overview
minimatch < 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 contains a denial of service caused by unbounded recursive backtracking in matchOne() with multiple non-adjacent globstar segments, letting attackers stall the Node.js event loop, exploit requires attacker-controlled glob patterns.
Severity & Score
Impact
Attackers can cause denial of service by stalling the Node.js event loop for several seconds using crafted glob patterns.
Mitigation
Update to versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.3 or later.
Social Media Activity(2 posts)
š CVE-2026-27903 - High (7.5) minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glo... š https://www.thehackerwire.com/vulnerability/CVE-2026-27903/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-27903 - High (7.5) minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glo... š https://www.thehackerwire.com/vulnerability/CVE-2026-27903/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-27903
- Severity
- High
- CVSS Score
- 7.5
- Type
- denial_of_service
- Status
- confirmed
- EPSS
- 4.7%
- Social Posts
- 2
CWE
- CWE-407
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H