3438 matches found
CVE-2026-34149
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an...
CVE-2026-34049
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configur...
CVE-2026-34049 Coolify: Command Injection via unsanitized MongoDB collection names in database backup
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configur...
CVE-2026-34049
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configur...
CVE-2026-34049
Coolify (open-source self-hosted) versions 4.0.0-beta.451–4.0.0-beta.470 have a command-injection risk in MongoDB backup handling where collection names do not fully validate shell metacharacters. An attacker with the ability to configure backup inputs and high privileges can inject commands into...
CVE-2026-48204
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...
EUVD-2026-41839
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...
CVE-2026-48204
The CVE describes an improper input validation and access-control flaw in Apache Camel’s MongoDB GridFS component where gridfs.* headers (gridfs.operation, gridfs.objectid, etc.) bypass the HTTP header filter. With no explicit operation, an unauthenticated HTTP client can override the GridFS oper...
PT-2026-55900
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9 Description Improper input validation and improper access control in the Camel Mongodb Gridfs component allow an...
CVE-2026-59509
An unauthenticated improper input validation vulnerability in the POST /fetchcvedata endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections...
CVE-2026-59509
CVE-2026-59509 affects cve-search: unauthenticated improper input validation in POST /fetch_cve_data lets an attacker manipulate MongoDB query parameters (collection, projected fields, regex filters) to read arbitrary application MongoDB collections, including mgmt_users (administrative usernames...
EUVD-2026-41753
An unauthenticated improper input validation vulnerability in the POST /fetchcvedata endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections...
CVE-2026-59509 Unauthenticated arbitrary MongoDB collection read in cve-search
An unauthenticated improper input validation vulnerability in the POST /fetchcvedata endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections...
PT-2026-55794
Name of the Vulnerable Software and Affected Versions cve-search affected versions not specified Description An unauthenticated improper input validation issue exists in the 'POST /fetch cve data' endpoint. A remote attacker can manipulate request parameters that control the MongoDB collection,...
CVE-2026-41696
A flaw was found in Spring Data MongoDB. Repository query methods that use regular expression regex parameter binding perform insufficient validation of the bound parameter. A remote attacker can exploit this by supplying a crafted string, which could lead to breaking out of the intended regular...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: argocd-image-updater, kots, kubescape, helm, kaf, frankenphp-8.2, prometheus-mongodb-exporter, istio, trivy-operator-fips, cloud-provider-aws, commercial-grafana, kubernetes, osv-scanner, argo-workflows, calico-fips, gitlab-rails-ce-fips, traefik-fips, frankenphp-8.4...
CVE-2026-45687
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it...
CVE-2026-45688
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOneid: ... query...
CVE-2026-45689
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with...
OESA-2026-2691 mongo-c-driver security update
mongo-c-driver is a project that includes two libraries: libmongoc, a client library written in C for MongoDB. libbson, a library providing useful routines related to building, parsing, and iterating BSON documents. Security Fixes: The MongoDB C Driver's Cyrus SASL integration performs unsafe...