CVE-2026-5986

low-risk

Published 2026-04-09

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

References (5)

https://github.com/Zod-/jsVideoUrlParser/issues/121

https://github.com/Zod-/jsVideoUrlParser/issues/121#issue-4159661957

https://vuldb.com/submit/791911

https://vuldb.com/vuln/356540

https://vuldb.com/vuln/356540/cti

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal