Method Injection Vulnerability in Picomatch Glob Matcher by Micromatch
CVE-2026-33672

5.3MEDIUM

Key Information:

Vendor: Micromatch
Status: Picomatch
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33672?

Picomatch, a glob matcher developed in JavaScript, is susceptible to a method injection vulnerability in certain earlier versions. This occurs due to the POSIX_REGEX_SOURCE object inheriting from Object.prototype, allowing specially crafted POSIX bracket expressions to inadvertently reference inherited method names. Consequently, the affected patterns may demonstrate incorrect glob matching behavior, potentially leading to errors in security-relevant application logic. While this does not facilitate remote code execution, it poses risks where effective filtering, validation, or access control is necessary. Users of vulnerable Picomatch versions that handle untrusted glob patterns are encouraged to upgrade to versions 4.0.4, 3.0.2, or 2.3.2. If an immediate upgrade is not feasible, it is advised to avoid using untrusted glob patterns with Picomatch, alongside implementing sanitization techniques and avoiding the inclusion of POSIX bracket expressions with user inputs.

Affected Version(s)

picomatch >= 4.0.0, < 4.0.4 < 4.0.0, 4.0.4

picomatch >= 3.0.0, < 3.0.2 < 3.0.0, 3.0.2

picomatch < 2.3.2 < 2.3.2

References

https://github.com/micromatch/picomatch/security/advisori...

x_refsource_CONFIRM

https://github.com/micromatch/picomatch/commit/4516eb521f...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33672 Data

JSON