cve 2026 33672

CVE-2026-33672 is a medium-severity vulnerability in the JavaScript glob-matching library Picomatch, disclosed in late March 2026 and tracked by Microsoft's Security Update Guide. The bug allows crafted POSIX character-class patterns to produce incorrect filename matches in affected application logic. While not a remote-code-execution issue, it affects build systems, developer tools, file upload filters, test runners, bundlers, and policy engines that rely on Picomatch for pattern matching. The impact depends on how applications use the library, as incorrect matches can lead to security bypasses or logic errors. This tag covers discussions about the vulnerability, its implications, and mitigation strategies for Windows and cross-platform environments.