Lucene search
+L
MongoosejsMongoose

6 matches found

CVE
CVE
added 2023/07/17 12:0 a.m.242 views

CVE-2023-3696

CVE-2023-3696 affects the GitHub repository automattic/mongoose, with the vulnerability present in versions before 7.3.4. The root cause is a prototype pollution flaw in the code path used for object merging. Exploitation details are not provided in the supplied documents, but CVSS metrics indica...

10CVSS9.4AI score0.0101EPSS
CVE
CVE
added 2025/01/15 12:0 a.m.161 views

CVE-2025-23061

CVE-2025-23061 affects Mongoose before 8.9.5, enabling search injection via a nested $where filter in populate() match. This builds on an incomplete fix for CVE-2024-53900, as evidenced by multiple connected documents (Nuclei template, IBM security bulletins, and IBM/CVE details) describing NoSQL...

9.8CVSS9.4AI score0.07025EPSS
CVE
CVE
added 2024/12/02 12:0 a.m.154 views

CVE-2024-53900

CVE-2024-53900 affects Mongoose. Before 8.8.3, it can improperly use $where in match, causing NoSQL injection with potential remote code execution (RCE). CVSS is 3.1 base 9.1 (CRITICAL). Mitigation: upgrade Mongoose to 8.8.3 or later; some sources describe continued risk due to incomplete fixes f...

9.1CVSS9.4AI score0.03988EPSS
In wildWeb
CVE
CVE
added 2019/10/10 12:35 a.m.142 views

CVE-2019-17426

Automattic Mongoose up to version 5.7.4 is affected. The root cause is that a query object containing a _bsontype attribute is ignored, which can bypass access control in some applications (e.g., a query filter interference with _bsontype). The CVE covers this behavior in older versions of the bs...

9.1CVSS9AI score0.0166EPSS
CVE
CVE
added 2022/07/28 3:21 p.m.122 views

CVE-2022-2564

CVE-2022-2564 covers a Prototype Pollution vulnerability in automattic/mongoose prior to 6.4.6. Some connected records describe the issue as prototype pollution via Schema.path, which could enable modification of the Object prototype and, per related advisories, potential DoS scenarios. The publi...

9.8CVSS8.1AI score0.32676EPSS
CVE
CVE
added 2026/05/14 6:3 p.m.28 views

CVE-2026-42334

Technical details about CVE-2026-42334 are not publicly available in the provided documents. Monitor for updates.

7.5CVSS5.8AI score0.00274EPSS