BaseIncomplete

CWE-624Executable Regular Expression Error

Category: other

Description

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers. Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.

Common consequences· 1

  • Confidentiality / Integrity / Availability — Execute Unauthorized Code or Commands

Potential mitigations· 1

  • [Implementation]The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl.

References

  1. https://cwe.mitre.org/data/definitions/624.html

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2026-25237cve-2026-252370%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Incorrect Regular Expression
CWE
Regular Expression without Anchors
CWE
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE
Permissive Regular Expression
CWE
Improper Neutralization of Encoded URI Schemes in a Web Page
CWE
Improper Neutralization of Alternate XSS Syntax
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.