Lucene search
K

1170 matches found

Nuclei
Nuclei
added 10 hours ago69 views

Mongoose - NoSQL Injection

NoSQL injection vulnerability in Mongoose 8.9.5 affecting the populate function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operator...

9.8CVSS7.3AI score0.07025EPSS
Exploits3References4
Nuclei
Nuclei
added 10 hours ago45 views

Mongoose < 8.8.3 - Remote Code Execution

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. id: CVE-2024-53900 info: name: Mongoose 8.8.3 - Remote Code Execution author: h4mg severity: critical description: | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. impact...

9.1CVSS7.1AI score0.03988EPSS
Exploits3References5
Vulnrichment
Vulnrichment
added 5 days ago7 views

CVE-2026-11404 Cesanta Mongoose before 7.22 Out-of-Bounds Read in MG_TLS_BUILTIN ClientHello Session ID Parsing

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mgtlsserverrecvhello, which uses an attacker-controlled sessionidlen byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated...

8.7CVSS6.2AI score0.00441EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-11404 Cesanta Mongoose before 7.22 Out-of-Bounds Read in MG_TLS_BUILTIN ClientHello Session ID Parsing

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mgtlsserverrecvhello, which uses an attacker-controlled sessionidlen byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated...

8.7CVSS0.00441EPSS
Exploits0References4
CVE
CVE
added 5 days ago10 views

CVE-2026-11404

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthent...

8.7CVSS6.2AI score0.00441EPSS
Exploits0References4
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-42605

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mgtlsserverrecvhello, which uses an attacker-controlled sessionidlen byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated...

8.7CVSS6.2AI score0.00441EPSS
Exploits0References4
OSV
OSV
added 2026/07/06 6:1 p.m.7 views

MAL-2026-6797 Malicious code in mongoose-lean-hooks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 540ace1cb8bc936ea953554a9ffc28203370f82cb5e5a7dfbf1454bf0e834b9a On require'mongoose-lean-hooks', the package's main entry index.js runs a top-level async IIFE that issues an HTTP GET to...

6.5AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 6:1 p.m.6 views

Malicious code in mongoose-lean-hooks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 540ace1cb8bc936ea953554a9ffc28203370f82cb5e5a7dfbf1454bf0e834b9a On require'mongoose-lean-hooks', the package's main entry index.js runs a top-level async IIFE that issues an HTTP GET to...

6.5AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/26 2:18 a.m.11 views

Malicious code in mongoose-json-format (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 910cc6eef707ac872daeb3a527e6dd9c75044ebb178f9eb48745f5cfd4123968 helpers.js defines a createLog helper that base64-decodes a constant HASHKEY to https://www.jsonkeeper.com/b/XVHGD an anonymous JSON-paste host and...

6AI score
Exploits0References3
Snyk
Snyk
added 2026/06/02 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
UbuntuCve
UbuntuCve
added 2026/06/01 12:0 a.m.10 views

CVE-2025-65502

Null pointer dereference in addcacerts in Cesanta Mongoose before...

4.3CVSS5.8AI score0.00246EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/05/21 12:53 p.m.14 views

CVE-2026-42334

A flaw was found in Mongoose, a MongoDB object modeling tool. A remote attacker could bypass the sanitizeFilter query sanitization mechanism by injecting malicious operators, such as $ne, $gt, or $regex, within a $nor clause. This vulnerability arises because the $nor operator was not properly...

7.5CVSS5.8AI score0.00274EPSS
Exploits0References2
OSV
OSV
added 2026/05/18 5:48 a.m.5 views

BIT-MONGOOSE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...

7.5CVSS5.8AI score0.00274EPSS
Exploits0References2
NVD
NVD
added 2026/05/14 6:16 p.m.20 views

CVE-2026-42334

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...

7.5CVSS0.00274EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 6:3 p.m.41 views

CVE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...

7.5CVSS0.00274EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/14 6:3 p.m.8 views

CVE-2026-42334

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...

7.5CVSS5.8AI score0.00274EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/14 6:3 p.m.10 views

CVE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...

7.5CVSS5.8AI score0.00274EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 6:3 p.m.25 views

CVE-2026-42334

Technical details about CVE-2026-42334 are not publicly available in the provided documents. Monitor for updates.

7.5CVSS5.8AI score0.00274EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.14 views

Mongoose 注入漏洞

Mongoose is an open-source MongoDB object modeling framework developed by Automattic. It is designed to work in asynchronous environments. Prior to versions 6.13.9, 7.8.9, 8.22.1, and 9.1.6, Mongoose had an injection vulnerability. This vulnerability stemmed from bypassing the sanitizeFilter quer...

7.5CVSS5.8AI score0.00274EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/11 12:0 a.m.14 views

Linux Distros Unpatched Vulnerability : CVE-2026-5246

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mgtlsverifycertsignature of the file mongoose.c of the component P-384...

8.1CVSS5.4AI score0.00622EPSS
Exploits0References3
Rows per page
Query Builder