Homepage

CVE-2026-4867 Affecting sqlpad package, versions <7.5.7-r17

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-SQLPAD-15968079
  • published10 Apr 2026
  • disclosed26 Mar 2026
Report a new vulnerability Found a mistake?

Introduced: 26 Mar 2026

NewCVE-2026-4867  (opens in a new tab)

How to fix?

Upgrade Chainguard sqlpad to version 7.5.7-r17 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlpad package and not the sqlpad package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

Impact:

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Patches:

Upgrade to path-to-regexp@0.1.13

Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.

Workarounds:

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.

CVSS Base Scores

version 3.1