CVE-2026-40319

Description

Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the RegexMatching check passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout or complexity guard. A crafted regex pattern can trigger catastrophic backtracking, causing the process to hang indefinitely. Exploitation requires write access to a check definition and subsequent execution of the test suite. This issue has been fixed in giskard-checks version 1.0.2b1.

CVSS v3.1 Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS — Exploit Prediction

0.0001

Probability of exploitation

0.01%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-1333 CWE-1333

Affected Products

Vendor	Product	Versions
giskard	giskard	< 1.0.2

References

Advisories & Patches

https://github.com/Giskard-AI/giskard-oss/security/advisories/GHSA-rq2q-4r55-9877

Other References

https://github.com/Giskard-AI/giskard-oss/releases/tag/giskard-checks%2Fv1.0.2b1

Frequently Asked Questions

What is CVE-2026-40319? +

Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the RegexMatching check passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout or complexity guard. A crafted regex pattern can trigger catastrophic backtracking, causing the process to hang indefinitely. Exploitation requires write access to a check definition and subsequent execution of the test suite. This issue has been fixed in giskard-checks version 1.0.2b1. It has a CVSS v3.1 base score of 5.5 (MEDIUM).

How severe is CVE-2026-40319? +

CVE-2026-40319 has a CVSS v3.1 score of 5.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-40319? +

CVE-2026-40319 affects products from giskard, specifically: giskard. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-40319? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-48058

PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a …

CVE-2025-48059

PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 …

CVE-2025-6998

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service …

CVE-2025-54363

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression …

CVE-2025-54364

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression …

CVE-2025-58451

Cattown is a JavaScript markdown parser. Versions prior to 1.0.2 used regular expressions with inefficient, potentially exponential worst-case complexity. This …