The product uses a regular expression that does not sufficiently restrict the set of allowed values.