The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.
The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2006-2059Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace
CVE-2005-3420Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace
CVE-2006-2878Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the "/e" modifier
CVE-2006-2908Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.