3421 matches found
Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CVE-2025-67030)
Summary There are vulnerabilities in plexus-utils-3.5.1.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-67030. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-67030 DESCRIPTION: Directory Traversal vulnerability in the extractFile method of...
Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Locking (CVE-2026-22735)
Summary There are vulnerabilities in spring-web-6.2.15.jar, spring-webmvc-6.2.15.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22735. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-22735 DESCRIPTION: Spring MVC and WebFlux applications are...
Security Bulletin: MongoDB Enterprised Advanced affected by: Authentication Bypass Using an Alternate Path or Channel (CVE-2026-22731, CVE-2026-22733)
Summary There are vulnerabilities in spring-boot-actuator-autoconfigure-3.5.9.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22731, CVE-2026-22733. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-22731 DESCRIPTION: Spring Boot applications with...
Security Bulletin: MongoDB Enterprised Advanced affected by: Uncontrolled Resource Consumption (CVE-2026-22740)
Summary There are vulnerabilities in spring-web-6.2.17.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22740. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-22740 DESCRIPTION: A WebFlux server application that processes multipart requests create...
Security Bulletin: MongoDB Enterprised Advanced affected by: Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-2026-22751)
Summary There are vulnerabilities in spring-security-core-6.5.9.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22751. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-22751 DESCRIPTION: Vulnerability in Spring Spring Security. Applications that...
Security Bulletin: MongoDB Enterprised Advanced affected by: Missing Critical Step in Authentication (CVE-2026-40542)
Summary There are vulnerabilities in httpclient5-5.6.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-40542. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-40542 DESCRIPTION: Missing critical step in authentication in Apache HttpClient 5.6 allows an...
Security Bulletin: MongoDB Enterprised Advanced affected by: Observable Timing Discrepancy (CVE-2026-22746)
Summary There are vulnerabilities in spring-security-core-6.5.9.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22746. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-22746 DESCRIPTION: Vulnerability in Spring Spring Security. If an application is...
Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Link Resolution Before File Access ('Link Following'), Use of Insufficiently Random Values, Insecure Temporary File (CVE-2026-40977, CVE-2026-40975, CVE-2026-40973)
Summary There are vulnerabilities in spring-boot-3.5.12.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-40977, CVE-2026-40975, CVE-2026-40973. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-40973 DESCRIPTION: A local attacker on the same host as...
Security Bulletin: MongoDB Enterprised Advanced affected by: Use of Cache Containing Sensitive Information (CVE-2026-22741)
Summary There are vulnerabilities in spring-webmvc-6.2.17.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22741. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-22741 DESCRIPTION: Spring MVC and WebFlux applications are vulnerable to cache...
Security Bulletin: MongoDB Enterprised Advanced affected by: Allocation of Resources Without Limits or Throttling (CVE-2026-29181)
Summary There are vulnerabilities in go.opentelemetry.io/otel-v1.37.0, go.opentelemetry.io/otel-v1.38.0, go.opentelemetry.io/otel-v1.40.0 used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-29181. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-29181...
Malicious code in mddriver (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a5b264d05ffaf76e8be2d7a46cb2277211a045fa15e8c510ab60cdd5c5bae56 On require'mddriver', an IIFE in index.js invokes loadTokenData, which fetches https://www.jsonkeeper.com/b/C4H0M stored base64-encoded as...
Exploit for Improper Handling of Length Parameter Inconsistency in Mongodb
CVE-2025-14847-mongobleed CVE-2025-14847 mongobleed python fil...
GHSA-9WCP-79G5-5C3C Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators
Summary The /api/v1/users/super endpoint enforces a restriction that only one super user Instance Administrator can be created during initial setup. However, due to a Time-of-Check-Time-of-Use TOCTOU race condition in the signupAndLoginSuper method, concurrent requests can bypass this restriction...
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
Summary A NoSQL injection vulnerability existed in MongoDBSaver where checkpoint identifier fields from config.configurable were used in MongoDB queries without strict type enforcement. In vulnerable versions, attacker-controlled object payloads for example MongoDB operators like $gt and $ne coul...
CVE-2026-11933
A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...
UBUNTU-CVE-2026-11933
A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...
CVE-2026-11933 Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion
A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...
CVE-2026-11933
Technical details (affected products, versions, root cause, and remediation) are not publicly available in the provided documents. Please monitor for updates.
Linux Distros Unpatched Vulnerability : CVE-2026-9743
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In MongoDB Server 8.0, an aggregation stage can leave its subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on...
PT-2026-48817
Name of the Vulnerable Software and Affected Versions MongoDB Server affected versions not specified Description A use-after-free memory corruption flaw exists in the server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who...