CVE-2026-30838: Insecure Regex Domain Implode
Constructing a regular expression with a list of domains without enforcing a proper trailing boundary allows for spoofing. For instance, an allowlist for `example.com` might incorrectly match `example.com.evil.com`. Ensure that the domain regex enforces a boundary (e.g., `$` or `/`), or use `parse_url()` and exact string matching instead.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
PHPβ
PHPβgreprules fetch cve-2026-30838-insecure-regex-domain-implode --engine opengrepDescription
Constructing a regular expression with a list of domains without enforcing a proper trailing boundary allows for spoofing. For instance, an allowlist for `example.com` might incorrectly match `example.com.evil.com`. Ensure that the domain regex enforces a boundary (e.g., `$` or `/`), or use `parse_url()` and exact string matching instead.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0