CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

238 matches found

Mongoose - NoSQL Injection

NoSQL injection vulnerability in Mongoose 8.9.5 affecting the populate function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operator...

9.8CVSS8.9AI score0.07025EPSS

Exploits3References4

Nuclei•added yesterday•39 views

Agentejo Cockpit < 0.11.2 - NoSQL Injection

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value. id: CVE-2020-35846 info: name: Agentejo Cockpit 0.11.2 - NoSQL Injection author: dwisiswant0 severity: critic...

9.8CVSS8.3AI score0.93292EPSS

Exploits10References5

Nuclei•added yesterday•111 views

Rocket.Chat <=3.13 - NoSQL Injection

Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected...

9.8CVSS8.4AI score0.95242EPSS

Exploits16References6

OSV•added 5 days ago•4 views

GHSA-98XF-R82G-9MHX LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access

Summary A NoSQL injection vulnerability existed in MongoDBSaver where checkpoint identifier fields from config.configurable were used in MongoDB queries without strict type enforcement. In vulnerable versions, attacker-controlled object payloads for example MongoDB operators like $gt and $ne coul...

6.7CVSS5.4AI score0.00022EPSS

Exploits0References5

Positive Technologies•added 5 days ago•5 views

PT-2026-48932

6.7CVSS5.4AI score0.00022EPSS

Exploits0References6

NVD•added 6 days ago•5 views

CVE-2026-47181

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a...

8.7CVSS0.00251EPSS

Exploits0References1

Cvelist•added 6 days ago•25 views

CVE-2026-47181 PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover

8.7CVSS0.00251EPSS

Exploits0References1

CVE•added 6 days ago•6 views

CVE-2026-47181

CVE-2026-47181 affects the PenguinMod-BackendApi, the backend API for PenguinMod. Prior to version 1.0.0, a NoSQL injection flaw in the password reset endpoint lets any authenticated user change the password of an account, enabling full account takeover. An attacker must have a registered account...

8.7CVSS5.4AI score0.00251EPSS

Exploits0References1

CNNVD•added 6 days ago•2 views

PenguinMod-BackendApi 输入验证错误漏洞

PenguinMod-BackendApi is a backend API service developed under the open source of PenguinMod, supporting storage using MongoDB and MinIO. Prior to version 1.0.0 of PenguinMod-BackendApi, there was a vulnerability related to input validation errors. This vulnerability stemmed from NoSQL injection ...

8.7CVSS5.3AI score0.00251EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:49 p.m.•4 views

CVE-2026-29198

In Rocket.Chat 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, and 7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured...

9.8CVSS5.5AI score0.00308EPSS

Exploits0References1

OSV•added 2026/05/18 5:48 a.m.•3 views

BIT-MONGOOSE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...

7.5CVSS5.8AI score0.00274EPSS

Exploits0References2

Cvelist•added 2026/05/14 6:3 p.m.•34 views

CVE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

7.5CVSS0.00274EPSS

Exploits0References1

Vulnrichment•added 2026/05/14 6:3 p.m.•6 views

CVE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

7.5CVSS5.8AI score0.00274EPSS

Exploits0References1

CVE•added 2026/05/14 6:3 p.m.•12 views

CVE-2026-42334

Technical details about CVE-2026-42334 are not publicly available in the provided documents. Monitor for updates.

7.5CVSS5.8AI score0.00274EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/05/05 9:48 p.m.•6 views

NPM: Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

NPM: Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection vulnerability discovered by ? in WordPress Npm mongoose versions = 9.0.0, = 9.1.5...

7.5CVSS5.8AI score0.00274EPSS

Exploits0References5Affected Software1

EUVD•added 2026/04/23 12:31 a.m.•3 views

EUVD-2026-25129

9.8CVSS5.8AI score0.00308EPSS

Exploits0References3

NVD•added 2026/04/23 12:16 a.m.•1 views

CVE-2026-29198

9.8CVSS0.00308EPSS

Exploits0References2

CNNVD•added 2026/04/23 12:0 a.m.•10 views

Rocket.Chat SQL注入漏洞

Rocket.Chat is a chat software developed by the Rocket.Chat company. Versions prior to 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, and 7.10.9 have a SQL injection vulnerability. This vulnerability stems from NoSQL injection and could lead to the takeover of the first user account with a...

9.8CVSS5.9AI score0.00308EPSS

Exploits0References1

Cvelist•added 2026/04/22 11:30 p.m.•33 views

CVE-2026-29198

0.00308EPSS

Exploits0References2