Description
GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.
Published: 2026-04-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an inefficient regular expression that can be triggered by a specially crafted input string, causing excessive CPU usage and leading to a denial of service for the affected system. The weakness is identified as CWE‑1333, a regular expression denial of service attack.

Affected Systems

GROWI provided by GROWI, Inc. is affected. No specific version information is supplied, so administrators should verify the installed build for exposure.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, yet the EPSS score of less than 1% suggests a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the submission of a malicious input string, presumably through an HTTP interface, although the precise pathway is not explicitly stated in the description and is inferred from the nature of the defect.

Generated by OpenCVE AI on April 28, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest GROWI release that contains the regular expression fix.
  • If an immediate upgrade is not feasible, enforce input validation to reject overly complex or large strings processed by the vulnerable regex.
  • Deploy a Web Application Firewall to detect and block requests containing suspicious or excessively large strings that could trigger the regex denial of service.

Generated by OpenCVE AI on April 28, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Title Regular Expression Denial of Service in GROWI

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Growi
Growi growi
Vendors & Products Growi
Growi growi

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.
Weaknesses CWE-1333
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Growi Growi
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-23T12:24:38.209Z

Reserved: 2026-04-16T08:21:20.314Z

Link: CVE-2026-41040

cve-icon Vulnrichment

Updated: 2026-04-23T12:24:32.557Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T07:16:41.070

Modified: 2026-04-24T14:50:56.203

Link: CVE-2026-41040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses