CVE-2026-8053
- EPSS 0.57%
- Veröffentlicht 12.05.2026 23:59:43
- Zuletzt bearbeitet 18.05.2026 13:06:01
An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal fie...
CVE-2026-8063
- EPSS 0.23%
- Veröffentlicht 07.05.2026 04:12:54
- Zuletzt bearbeitet 11.05.2026 15:26:42
An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $ran...
CVE-2026-6914
- EPSS 0.26%
- Veröffentlicht 29.04.2026 17:16:41
- Zuletzt bearbeitet 06.05.2026 20:11:08
Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prio...
CVE-2026-6915
- EPSS 0.17%
- Veröffentlicht 29.04.2026 17:16:41
- Zuletzt bearbeitet 06.05.2026 20:08:44
An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted acc...
CVE-2026-5170
- EPSS 0.2%
- Veröffentlicht 30.03.2026 15:28:57
- Zuletzt bearbeitet 02.04.2026 17:18:58
A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a...
CVE-2026-4358
- EPSS 0.34%
- Veröffentlicht 17.03.2026 19:00:07
- Zuletzt bearbeitet 02.04.2026 12:16:02
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
CVE-2026-4148
- EPSS 0.32%
- Veröffentlicht 17.03.2026 15:53:57
- Zuletzt bearbeitet 10.04.2026 17:38:37
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
CVE-2026-4147
- EPSS 0.22%
- Veröffentlicht 17.03.2026 15:50:21
- Zuletzt bearbeitet 10.04.2026 17:40:20
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
CVE-2026-32248
- EPSS 0.63%
- Veröffentlicht 12.03.2026 19:14:47
- Zuletzt bearbeitet 13.03.2026 19:00:34
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider th...
CVE-2026-31872
- EPSS 0.37%
- Veröffentlicht 11.03.2026 18:02:57
- Zuletzt bearbeitet 13.03.2026 18:24:36
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and ...