Lucene search
K

401 matches found

Nuclei
Nuclei
added 2 days ago204 views

mongo-express Remote Code Execution

mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the toBSON method and misuse the vm dependency to perform exec commands in a non-safe environment. id: CVE-2019-10758 info: name: mongo-express Remote Code Execution author: princechaddha severity: critical...

9.9CVSS7.8AI score0.84845EPSS
Exploits3References5
Nuclei
Nuclei
added 5 days ago128 views

Mongo-Express - Remote Code Execution

Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server. id: CVE-2020-24391 info: nam...

9.8CVSS7.9AI score0.75088EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-278 Improper Certificate Validation in apache airflow mongo hook

When ssl was enabled for Mongo Hook, default settings included "allowinsecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue...

9.1CVSS7.2AI score0.0062EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.8 views

PT-2026-52093

🚨 CVE-2026-45688 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOn...

9.1CVSS5.8AI score0.00289EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/06/23 2:31 a.m.5 views

SUSE CVE-2026-2303

The mongo-go-driver repository contains CGo bindings for GSSAPI Kerberos authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not...

6.9CVSS5.9AI score0.00223EPSS
Exploits0References3
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.2 views

Astra Linux – Vulnerability in Wireshark

MONGO and ZigBee TLV dissector have infinite loops in Wireshark versions 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22. These bugs allow for denial of service through packet injection or with properly crafted capture files...

7.5CVSS6.8AI score0.00811EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/12 12:0 a.m.18 views

Linux Distros Unpatched Vulnerability : CVE-2026-9750

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing...

7.1CVSS5.5AI score0.00368EPSS
Exploits0References2
NVD
NVD
added 2026/06/10 12:16 a.m.15 views

CVE-2026-41696

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0...

5.9CVSS0.00262EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.22 views

PT-2026-48312

Name of the Vulnerable Software and Affected Versions Spring Data MongoDB versions 5.0.0 through 5.0.5 Spring Data MongoDB versions 4.5.0 through 4.5.11 Spring Data MongoDB versions 4.4.0 through 4.4.14 Spring Data MongoDB versions 4.3.0 through 4.3.16 Spring Data MongoDB versions 4.2.0 through...

5.9CVSS5.8AI score0.00262EPSS
Exploits0References3
CVE
CVE
added 2026/06/02 10:35 p.m.40 views

CVE-2026-32625

LibreChat vulnerability CVE-2026-32625 affects versions up to 0.8.3 where MCP server URL validation expands ${VAR} against process.env during Zod schema checks. An authenticated user can configure a malicious MCP URL to exfiltrate secrets (CREDS_KEY, CREDS_IV, JWT_SECRET, MONGO_URI) to an attacke...

9.6CVSS5.8AI score0.0294EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/02 10:35 p.m.8 views

CVE-2026-32625 LibreChat Exfiltrates Server Secrets via MCP Server URL Injection

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol MCP server integration resolves $VAR placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any...

9.6CVSS5.8AI score0.0294EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/02 10:35 p.m.36 views

CVE-2026-32625 LibreChat Exfiltrates Server Secrets via MCP Server URL Injection

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol MCP server integration resolves $VAR placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any...

9.6CVSS0.0294EPSS
Exploits1References1
Snyk
Snyk
added 2026/06/02 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.60 views

PT-2026-45878

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.4-rc1 Description LibreChat is an enhanced ChatGPT clone supporting multiple AI providers. The Model Context Protocol MCP server integration improperly resolves $VAR placeholders against the server's process.env...

9.6CVSS5.5AI score0.0294EPSS
Exploits1References10
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.5 views

LibreChat 信息泄露漏洞

LibreChat is an open-source, free, and highly customizable unified AI dialogue platform. It allows for the aggregation and running of large models from any vendor within a single interface. Versions of LibreChat 0.8.3 and earlier contained a security vulnerability known as information leakage. Th...

9.6CVSS5.4AI score0.0294EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.13 views

PT-2026-44524

Vulnerability in Oracle REST Data Services component: Mongoapi. Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability...

7.5CVSS5.8AI score0.00273EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 12:28 p.m.10 views

Malicious code in finup-mongo-library (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d9d0b210938322b805e1c8d94db07f45ca029fc4e69fb3a57f424eb885c1a39 dist/common/instrument.js calls Sentry.init at module top level with a hardcoded DSN pointing at the author's Sentry project...

5.8AI score
Exploits0References12
OSV
OSV
added 2026/05/21 12:28 p.m.12 views

MAL-2026-4564 Malicious code in finup-mongo-library (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d9d0b210938322b805e1c8d94db07f45ca029fc4e69fb3a57f424eb885c1a39 dist/common/instrument.js calls Sentry.init at module top level with a hardcoded DSN pointing at the author's Sentry project...

5.8AI score
Exploits0References12
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/11 6:22 p.m.11 views

Security Bulletin: MongoDB Enterprised Advanced affected by: XML External Entity (XXE) vulnerability (CVE-2026-24400)

Summary There are vulnerabilities in assertj-core-3.27.6.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-24400. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-24400 DESCRIPTION: AssertJ provides Fluent testing assertions for Java and the Java Virtu...

9.1CVSS7.2AI score0.00542EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/11 6:16 p.m.7 views

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Input Validation vulnerability (CVE-2025-15284, CVE-2026-2391)

Summary There are vulnerabilities in qs-6.14.0.tgz, qs-6.14.1.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-15284, CVE-2026-2391. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs...

7.5CVSS6.8AI score0.00478EPSS
Exploits2Affected Software1
Rows per page
Query Builder