12 matches found
BIT-MONGOOSE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...
CVE-2026-42334
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...
CVE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...
CVE-2026-42334
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...
CVE-2026-42334 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps quer...
CVE-2026-42334
Technical details about CVE-2026-42334 are not publicly available in the provided documents. Monitor for updates.
Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that...
GHSA-WPG9-53FQ-2R8H Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that...
NPM: Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
NPM: Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection vulnerability discovered by ? in WordPress Npm mongoose versions = 9.0.0, = 9.1.5...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview org.webjars.npm:mongoose is a Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' in the...
PT-2026-37266
Name of the Vulnerable Software and Affected Versions Mongoose versions prior to 6.13.9 Mongoose versions prior to 7.8.9 Mongoose versions prior to 8.22.1 Mongoose versions prior to 9.1.6 Description A flaw in the sanitizeFilter query sanitization mechanism allows it to be bypassed using the $nor...
CVE-2026-34595
CVE-2026-34595 affects Parse Server LiveQuery: an authenticated user with find class-level permission can bypass the protectedFields guard by submitting a subscription using an array-like object for $or/$and/$nor instead of a real array. This bypass allows the subscription firing to act as a bina...