Mongoose - NoSQL Injection

NoSQL injection vulnerability in Mongoose 8.9.5 affecting the populate function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operator...

ROOT-OS-DEBIAN-13-CVE-2026-23061 CVE-2026-23061 in rootio-linux - Patched by Root

Root has patched CVE-2026-23061 in the rootio-linux package for Root:Debian:13. Multiple fixed versions available...

ROOT-OS-DEBIAN-12-CVE-2026-23061 CVE-2026-23061 in rootio-linux - Patched by Root

Root has patched CVE-2026-23061 in the rootio-linux package for Root:Debian:12. Multiple fixed versions available...

CVE-2026-23061

creationtimestamp| type| source ---|---|--- 2026-03-19 00:00:00+00:00| seen| https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0316/ 2026-04-07 18:00:00+00:00| seen| https://www.hkcert.org/security-bulletin/ubuntu-linux-kernel-multiple-vulnerabilities20260408 2026-05-10 18:00:00+00:00| seen|...

BELL-CVE-2026-23061

Bulletin has no description...

CVE-2026-23061

A flaw was found in the Linux kernel's kvaserusb Controller Area Network CAN driver. A local, low-privileged user could exploit a memory leak in the kvaserusbreadbulkcallback function. This occurs because USB Request Blocks URBs are not properly unanchored and freed, leading to memory exhaustion...

DEBIAN-CVE-2026-23061

In the Linux kernel, the following vulnerability has been resolved: can: kvaserusb: kvaserusbreadbulkcallback: fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a "can: gsusb: gsusbreceivebulkcallback: fix URB memory leak". In kvaserusbset,databittiming - kvaserusbsetuprxurbs, t...

CVE-2026-23061

In the Linux kernel, the following vulnerability has been resolved: can: kvaserusb: kvaserusbreadbulkcallback: fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a "can: gsusb: gsusbreceivebulkcallback: fix URB memory leak". In kvaserusbset,databittiming - kvaserusbsetuprxurbs, t...

Linux Distros Unpatched Vulnerability : CVE-2026-23061

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - can: kvaserusb: kvaserusbreadbulkcallback: fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a can: gsusb: gsusbreceivebulkcallback: fix URB...

CVE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...

Exploit for Code Injection in Mongoosejs Mongoose

CVE-2025-23061 - Mongoose Command Injection A proof of concep...

Security Bulletin: Mongoose Improper Handling of Nested $where in populate() Match Allows Search Injection

Summary Mongoose improper handling of nested $where in populate match allows search injection due to incomplete fix for CVE-2024-53900. Vulnerability Details CVEID:CVE-2025-23061 DESCRIPTION: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in Mongoose

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of Mongoose Vulnerability Details CVEID:CVE-2025-23061 DESCRIPTION: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an...

Microsoft Edge for iOS Spoofing Vulnerability (CNVD-2025-23061)

Microsoft Edge is a web browser from the American company Microsoft that comes with systems after Windows 10. Microsoft Edge for iOS has a spoofing vulnerability that can be exploited by attackers to conduct spoofing attacks...

PT-2025-7788

Name of the Vulnerable Software and Affected Versions Kiteworks MFT versions prior to 9.1.0 Description An improper definition of roles and permissions in Kiteworks MFT regarding the management of Connections could allow authorized users to unexpectedly escalate privileges. This affects file...

@a-la-fois/api (>=0.0.25 <=0.0.39), @a-la-fois/doc-client (>=0.0.1 <=0.0.39) +110 more potentially affected by CVE-2025-23061 via mongoose (>=7.0.0 <=7.8.3)

mongoose NPM version =7.0.0, =0.0.25, =0.0.1, =0.0.25, =0.0.1, =0.0.25, =3.12.0, =1.0.0, =1.0.6, =0.2.0, =0.2.0, =0.0.0, =1.0.2, =1.0.0, =7.6.10, =7.8.3 and more Source cves: CVE-2025-23061 Source advisory: OSV:GHSA-VG7J-7CWX-8WGW...

01runmodel (>=1.0.3 <=1.0.4), 1405-authtokens (>=1.0.1 <=1.0.5) +9314 more potentially affected by CVE-2025-23061 via mongoose (>=1.0.0 <=6.13.5)

mongoose NPM version =1.0.0, =1.0.3, =1.0.1, =1.0.0, =1.0.0, =1.0.7, =0.0.1, =0.0.2, =0.3.0, =0.0.1, =0.0.5 and more Source cves: CVE-2025-23061 Source advisory: OSV:GHSA-VG7J-7CWX-8WGW...

03-08 (=1.0.0), 06-jobs-api-vydeekelz (=1.0.0) +4061 more potentially affected by CVE-2025-23061 via mongoose (>=8.0.0 <=8.9.4)

mongoose NPM version =8.0.0, =1.0.0, =1.6.3, =1.0.0, =1.1.2, =0.1.2, =0.1.142 and more Source cves: CVE-2025-23061 Source advisory: OSV:GHSA-VG7J-7CWX-8WGW...

CVE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...

CVE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...