Mongoose < 8.8.3 - Remote Code Execution

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. id: CVE-2024-53900 info: name: Mongoose 8.8.3 - Remote Code Execution author: h4mg severity: critical description: | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. impact...

Roundcube Webmail: Unsanitized IMAP SEARCH command arguments

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

CVE-2026-35538

This CVE affects Roundcube Webmail prior to 1.5.14 and prior to 1.6.14. The issue is unsanitized IMAP SEARCH arguments that can lead to IMAP injection or CSRF bypass during mail search. The connected sources indicate fixed releases: Roundcube 1.5.14 and 1.6.14 (and related security updates), so u...

CVE-2026-35538

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

CVE-2026-32888

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled searchcustom filter, user-supplied input from the search GET...

CVE-2020-37035

CVE-2020-37035 concerns e-Learning PHP Script 0.1.0, where the vulnerable component is the search functionality. The root cause is an SQL injection vulnerability due to unvalidated input in the 'search' parameter, enabling attackers to manipulate database queries. Reported impact includes potenti...

CVE-2026-22195

GestSup is affected by a SQL injection in the search bar for versions up to 3.2.60 (and affected up to 3.2.56 in some feeds). The vulnerability arises because user-controlled input in the search functionality is interpolated into SQL queries without sufficient neutralization, enabling an authenti...

CVE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...

VulnCheck KEV: CVE-2024-53900

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection...

BIT-MONGOOSE-2024-53900

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection...

BIT-MONGOOSE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...

Linux Distros Unpatched Vulnerability : CVE-2025-26533

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An SQL injection risk was identified in the module list filter within course search. CVE-2025-26533 Note that Nessus relies on the presence of the package as...

Security Bulletin: Mongoose Improper Handling of Nested $where in populate() Match Allows Search Injection

Summary Mongoose improper handling of nested $where in populate match allows search injection due to incomplete fix for CVE-2024-53900. Vulnerability Details CVEID:CVE-2025-23061 DESCRIPTION: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search...

GHSA-4R67-4X4P-FPRG Mattermost allows authenticated administrator to execute LDAP search filter injection

Mattermost versions 10.7.x = 10.7.1, 10.6.x = 10.6.3, 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT...

CVE-2024-53900

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in Mongoose

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of Mongoose Vulnerability Details CVEID:CVE-2025-23061 DESCRIPTION: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an...

Security Bulletin: Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Summary Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Vulnerability Details CVEID:CVE-2024-53900 DESCRIPTION: Mongoose before 8.8.3 can improperly use $where in match. CWE:CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL...

Search Injection

Mongoose is vulnerable to Search Injection. The vulnerability is due to improper handling of a nested $where filter with a populate match, allows the improper handling of a nested $where filter with a populate match, which can be exploited for search injection attacks...

PT-2025-4802 · Mongoose · Mongoose

Name of the Vulnerable Software and Affected Versions: Mongoose affected versions not specified Description: The Mongoose library is affected by a flaw that exposes millions of downloads to search injection. This issue arises from the improper handling of nested $where filters with populate match...

GHSA-VG7J-7CWX-8WGW Mongoose search injection vulnerability

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access...