ReDoS Vulnerability in Flag Forge CTF Platform Affecting User Profile API
CVE-2026-21868

7.5HIGH

Key Information:

Vendor: Flagforgectf
Status: Flagforge
Vendor: CVE Published:; 8 January 2026

🔔 Create Flagforgectf Vulnerability Alert

What is CVE-2026-21868?

Flag Forge, a Capture The Flag (CTF) platform, contains a vulnerability in its user profile API endpoint, allowing an attacker to exploit a Regular Expression Denial of Service (ReDoS). This occurs because the application improperly constructs a regular expression using unescaped user input from the username parameter. By sending a specially crafted username that includes regex meta-characters, an attacker can cause the MongoDB regex engine to consume excessive CPU resources, resulting in disrupted service for legitimate users. The vulnerability has been resolved in version 2.3.3. As a precaution, it is advisable to implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

flagForge < 2.3.3

References

https://github.com/FlagForgeCTF/flagForge/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 8, 2026
Vulnerability Reserved
Jan 5, 2026

JSON

Flagforgectf

What is CVE-2026-21868?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.