CVE-2026-9747
- EPSS 0.27%
- Veröffentlicht 09.06.2026 22:05:24
- Zuletzt bearbeitet 15.06.2026 16:58:53
Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server.
CVE-2026-9746
- EPSS 0.27%
- Veröffentlicht 09.06.2026 22:02:12
- Zuletzt bearbeitet 10.06.2026 19:43:28
When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.
CVE-2026-9743
- EPSS 0.31%
- Veröffentlicht 09.06.2026 21:59:34
- Zuletzt bearbeitet 15.06.2026 16:56:21
In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to th...
CVE-2026-9742
- EPSS 0.35%
- Veröffentlicht 09.06.2026 21:57:46
- Zuletzt bearbeitet 10.06.2026 19:43:28
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to ...
CVE-2026-9741
- EPSS 0.1%
- Veröffentlicht 09.06.2026 21:56:01
- Zuletzt bearbeitet 10.06.2026 19:43:28
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to...
CVE-2026-8202
- EPSS 0.26%
- Veröffentlicht 13.05.2026 00:19:41
- Zuletzt bearbeitet 18.05.2026 12:55:24
Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time. This iss...
CVE-2026-8336
- EPSS 0.26%
- Veröffentlicht 13.05.2026 00:16:16
- Zuletzt bearbeitet 18.05.2026 12:54:59
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $funct...
CVE-2026-8201
- EPSS 0.13%
- Veröffentlicht 13.05.2026 00:12:35
- Zuletzt bearbeitet 13.05.2026 22:50:59
A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-...
CVE-2026-8200
- EPSS 0.2%
- Veröffentlicht 13.05.2026 00:08:29
- Zuletzt bearbeitet 18.05.2026 13:01:44
When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. This issue impacts MongoDB Server v7.0 versions prior to 7...
CVE-2026-8199
- EPSS 0.26%
- Veröffentlicht 13.05.2026 00:05:22
- Zuletzt bearbeitet 13.05.2026 22:31:09
An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM. This issue i...