{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29856", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-19T14:19:23.842Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-18T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-18T17:11:10.867Z"}, "descriptions": [{"lang": "en", "value": "An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/aapanel/aapanel"}, {"url": "https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2026-29856"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:16:38.240520Z", "id": "CVE-2026-29856", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:19:23.842Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29856", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T14:16:38.240520Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:19:19.316Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/aapanel/aapanel"}, {"url": "https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2026-29856"}], "descriptions": [{"lang": "en", "value": "An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-18T17:11:10.867Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29856", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:19:23.842Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-18T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aapanel:aapanel:7.57.0:*:*:*:*:*:*:*", "matchCriteriaId": "BEA5AFC6-F733-4683-A374-C9665E0A2250", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input."}], "id": "CVE-2026-29856", "lastModified": "2026-03-19T19:23:57.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-18T18:16:27.110", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/aapanel/aapanel"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2026-29856"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.57.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "aapanel", "vendor": "aapanel"}], "analysis": {"en": {"generated_at": "2026-03-19T21:24:24.395018+00:00", "value": {"mitigation_remediation": ["Apply the official aaPanel patch that fixes the ReDoS issue as soon as it is available.", "If a patch is not yet released, implement a timeout or limit input size for regex processing within the virtual host configuration parser.", "Enable monitoring of system logs for abnormal regex processing spikes and apply rate\u2011limiting or temporary blocking of suspicious traffic to reduce impact."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (ReDoS)"}, "threat_synthesis": {"affected_systems": "The affected product is aaPanel version 7.57.0, as identified by the CPE entry cpe:2.3:a:aapanel:aapanel:7.57.0.*.*.*.*.*", "description_and_impact": "An issue in aaPanel version 7.57.0\u2019s VirtualHost configuration handling/parser component allows an attacker to trigger a Regular Expression Denial of Service (ReDoS) by submitting crafted input. The flaw leads to uncontrolled resource consumption during regex processing, resulting in excessive CPU usage or memory usage that can degrade service performance or cause a complete outage. The vulnerability is identified as CWE\u2011400 (Uncontrolled Resource Consumption).", "risk_and_exploitability": "The CVSS score of 7.5 places this vulnerability in the high severity range, indicating a significant impact if successfully exploited. EPSS indicates a very low overall exploitation probability (<\u202f1\u202f%), and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that the attack vector is remote, requiring an attacker to influence the virtual host configuration processing through malicious web requests handled by aaPanel, which would lead to application slowdown or denial of service for legitimate users."}}}}, "created": "2026-03-19T08:57:06.022778+00:00", "updated": "2026-03-24T10:54:06.322725+00:00", "vendors": ["aapanel", "aapanel$PRODUCT$aapanel"]}