cvedb.io
CVE-2026-33672
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2026-03-26T22:16:30.387 · Last modified 2026-06-17T10:37:54.113

Summary

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected `picomatch` versions that pro

Affected products

jonschlinkert — picomatch

Does this affect you?

Add your gear to cvedb and we'll alert you only when jonschlinkert ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.