CVE-2026-42334
- EPSS 0.27%
- Veröffentlicht 14.05.2026 18:03:43
- Zuletzt bearbeitet 15.05.2026 18:25:21
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When...
CVE-2025-23061
- EPSS 7.03%
- Veröffentlicht 15.01.2025 05:15:10
- Zuletzt bearbeitet 31.10.2025 18:56:04
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVE-2024-53900
- EPSS 3.91%
- Veröffentlicht 02.12.2024 20:15:08
- Zuletzt bearbeitet 01.10.2025 18:24:19
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
CVE-2023-3696
- EPSS 1.01%
- Veröffentlicht 17.07.2023 01:15:08
- Zuletzt bearbeitet 21.11.2024 08:17:51
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
CVE-2022-2564
- EPSS 32.68%
- Veröffentlicht 28.07.2022 20:15:11
- Zuletzt bearbeitet 21.11.2024 07:01:15
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVE-2019-17426
- EPSS 1.66%
- Veröffentlicht 10.10.2019 02:05:46
- Zuletzt bearbeitet 21.11.2024 04:32:18
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: ...