4 matches found
CVE-2023-3696
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
CVE-2019-17426
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work arou...
CVE-2025-23061
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVE-2022-2564
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.