6 matches found
CVE-2023-3696
CVE-2023-3696 affects the GitHub repository automattic/mongoose, with the vulnerability present in versions before 7.3.4. The root cause is a prototype pollution flaw in the code path used for object merging. Exploitation details are not provided in the supplied documents, but CVSS metrics indica...
CVE-2025-23061
CVE-2025-23061 affects Mongoose before 8.9.5, enabling search injection via a nested $where filter in populate() match. This builds on an incomplete fix for CVE-2024-53900, as evidenced by multiple connected documents (Nuclei template, IBM security bulletins, and IBM/CVE details) describing NoSQL...
CVE-2024-53900
CVE-2024-53900 affects Mongoose. Before 8.8.3, it can improperly use $where in match, causing NoSQL injection with potential remote code execution (RCE). CVSS is 3.1 base 9.1 (CRITICAL). Mitigation: upgrade Mongoose to 8.8.3 or later; some sources describe continued risk due to incomplete fixes f...
CVE-2019-17426
Automattic Mongoose up to version 5.7.4 is affected. The root cause is that a query object containing a _bsontype attribute is ignored, which can bypass access control in some applications (e.g., a query filter interference with _bsontype). The CVE covers this behavior in older versions of the bs...
CVE-2022-2564
CVE-2022-2564 covers a Prototype Pollution vulnerability in automattic/mongoose prior to 6.4.6. Some connected records describe the issue as prototype pollution via Schema.path, which could enable modification of the Object prototype and, per related advisories, potential DoS scenarios. The publi...
CVE-2026-42334
Technical details about CVE-2026-42334 are not publicly available in the provided documents. Monitor for updates.