CVE-2026-10692

Description

A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argument regex can lead to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.14.1 is able to address this issue. This patch is called 25bc02fac74051ddae15ce79e952f00211b1ea6b. Upgrading the affected component is recommended.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-02 | Updated 2026-06-03 | Assigner VulDB

Problem types

Inefficient Regular Expression Complexity

Resource Consumption

Product status

Timeline

Credits

skywings (VulDB User) reporter

References

vuldb.com/vuln/367961 (VDB-367961 | johnhuang316 code-index-mcp search_code_advanced is_safe_regex_pattern redos) vdb-entry technical-description

vuldb.com/vuln/367961/cti (VDB-367961 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-10692 (CVE-2026-10692 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/830786 (Submit #830786 | johnhuang316 code-index-mcp Latest Denial of Service) third-party-advisory

github.com/johnhuang316/code-index-mcp/issues/84 exploit issue-tracking

github.com/...ommit/25bc02fac74051ddae15ce79e952f00211b1ea6b patch

github.com/johnhuang316/code-index-mcp/releases/tag/v2.14.1 patch

github.com/johnhuang316/code-index-mcp/ product

cve.org (CVE-2026-10692)

nvd.nist.gov (CVE-2026-10692)

Download JSON