CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

15 matches found

Mongoose < 8.8.3 - Remote Code Execution

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. id: CVE-2024-53900 info: name: Mongoose 8.8.3 - Remote Code Execution author: h4mg severity: critical description: | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. impact...

9.1CVSS7.5AI score0.52176EPSS

Exploits3References5

VulnCheck KEV•added 2025/11/27 12:0 a.m.•9 views

VulnCheck KEV: CVE-2024-53900

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection...

9.1CVSS5.8AI score0.52176EPSS

In wildExploits3References2

IBM Security Bulletins•added 2025/06/26 6:27 p.m.•5 views

Security Bulletin: Mongoose Improper Handling of Nested $where in populate() Match Allows Search Injection

Summary Mongoose improper handling of nested $where in populate match allows search injection due to incomplete fix for CVE-2024-53900. Vulnerability Details CVEID:CVE-2025-23061 DESCRIPTION: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search...

9.8CVSS7.9AI score0.55322EPSS

Exploits3Affected Software1

IBM Security Bulletins•added 2025/04/17 3:8 a.m.•18 views

Security Bulletin: Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Summary Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Vulnerability Details CVEID:CVE-2024-53900 DESCRIPTION: Mongoose before 8.8.3 can improperly use $where in match. CWE:CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL...

9.1CVSS7.7AI score0.52176EPSS

Exploits3Affected Software1

IBM Security Bulletins•added 2025/04/15 3:57 a.m.•10 views

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in Mongoose

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of Mongoose Vulnerability Details CVEID:CVE-2024-53900 DESCRIPTION: Mongoose before 8.8.3 can improperly use $where in match. CWE:CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' CVSS...

9.1CVSS9.1AI score0.52176EPSS

Exploits3Affected Software1

GithubExploit•added 2025/04/03 5:1 p.m.•425 views

Exploit for CVE-2024-53900

CTF Challenge - Mongoose RCE CVE-2024-53900 Challenge Overvie...

9.1CVSS10AI score0.52176EPSS

Exploits3

Github Security Blog•added 2025/01/15 6:30 a.m.•64 views

Mongoose search injection vulnerability

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access...

9.8CVSS9.4AI score0.55322EPSS

Exploits3References12Affected Software1

OSV•added 2025/01/15 5:15 a.m.•18 views

CVE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...

9.8CVSS7.6AI score

Exploits0References4

CVE•added 2025/01/15 12:0 a.m.•148 views

CVE-2025-23061

CVE-2025-23061 affects Mongoose before 8.9.5, enabling search injection via a nested $where filter in populate() match. This builds on an incomplete fix for CVE-2024-53900, as evidenced by multiple connected documents (Nuclei template, IBM security bulletins, and IBM/CVE details) describing NoSQL...

9.8CVSS9.4AI score0.55322EPSS

Exploits3References4Affected Software1

Circl•added 2024/12/02 10:6 p.m.•7 views

CVE-2024-53900

creationtimestamp| type| source ---|---|--- 2024-12-02 22:06:16+00:00| seen| https://t.me/cvedetector/11816 2025-01-15 04:32:10+00:00| seen| https://infosec.exchange/users/cve/statuses/113830496154420562 2025-01-15 05:11:26+00:00| seen| https://t.me/DarkWebInformerCVEAlerts/1700 2025-01-15...

9.1CVSS8.8AI score0.52176EPSS

Exploits3References12

vulnersOsv•added 2024/12/02 9:31 p.m.•2 views

03-08 (=1.0.0), 06-jobs-api-vydeekelz (=1.0.0) +4056 more potentially affected by CVE-2024-53900 via mongoose (>=8.0.0 <=8.8.2)

mongoose NPM version =8.0.0, =1.0.0, =1.6.3, =1.1.2, =0.1.2, =0.1.142 - @10abdullahbutt/express-rest-api-starter =1.0.0 and more Source cves: CVE-2024-53900 Source advisory: OSV:GHSA-M7XQ-9374-9RVX...

9.1CVSS7.4AI score0.52176EPSS

Exploits3

vulnersOsv•added 2024/12/02 9:31 p.m.•3 views

@a-la-fois/api (>=0.0.25 <=0.0.39), @a-la-fois/doc-client (>=0.0.1 <=0.0.39) +110 more potentially affected by CVE-2024-53900 via mongoose (>=7.0.0 <=7.8.2)

mongoose NPM version =7.0.0, =0.0.25, =0.0.1, =0.0.25, =0.0.1, =0.0.25, =3.12.0, =1.0.0, =1.0.6, =0.2.0, =0.2.0, =0.0.0, =1.0.2, =1.0.0, =1.0.9-beta8 - @dedel.alex/adonis5-mongoose =7.6.10 and more Source cves: CVE-2024-53900 Source advisory: OSV:GHSA-M7XQ-9374-9RVX...

9.1CVSS7.4AI score0.52176EPSS

Exploits3

vulnersOsv•added 2024/12/02 9:31 p.m.•2 views

1405-authtokens (>=1.0.1 <=1.0.5), 1405_logging (=1.0.0) +3778 more potentially affected by CVE-2024-53900 via mongoose (>=3.6.11 <=5.13.22)

mongoose NPM version =3.6.11, =1.0.1, =1.0.7, =0.0.1, =0.0.2, =0.3.0, =0.0.1, =0.17.6, =0.0.1, =1.0.16, =1.0.30, =3.7.0, =3.8.2 and more Source cves: CVE-2024-53900 Source advisory: OSV:GHSA-M7XQ-9374-9RVX...

9.1CVSS7.4AI score0.52176EPSS

Exploits3

CVE•added 2024/12/02 12:0 a.m.•128 views

CVE-2024-53900

CVE-2024-53900 affects Mongoose. Before 8.8.3, it can improperly use $where in match, causing NoSQL injection with potential remote code execution (RCE). CVSS is 3.1 base 9.1 (CRITICAL). Mitigation: upgrade Mongoose to 8.8.3 or later; some sources describe continued risk due to incomplete fixes f...

9.1CVSS9.4AI score0.52176EPSS

In wildExploits3References5Affected Software1