Total
88 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-3969 | 1 Mongodb | 1 Mongodb | 2026-04-29 | 6.5 MEDIUM | N/A |
| The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object. | |||||
| CVE-2013-1892 | 2 Mongodb, Redhat | 2 Mongodb, Enterprise Mrg | 2026-04-29 | 6.0 MEDIUM | N/A |
| MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument. | |||||
| CVE-2013-4650 | 1 Mongodb | 1 Mongodb | 2026-04-29 | 6.5 MEDIUM | N/A |
| MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database. | |||||
| CVE-2013-2132 | 3 Canonical, Mongodb, Opensuse | 3 Ubuntu Linux, Mongodb, Opensuse | 2026-04-29 | 4.3 MEDIUM | N/A |
| bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an "invalid DBRef." | |||||
| CVE-2026-4147 | 1 Mongodb | 1 Mongodb | 2026-04-10 | N/A | 6.5 MEDIUM |
| An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command. | |||||
| CVE-2026-4148 | 1 Mongodb | 1 Mongodb | 2026-04-10 | N/A | 8.8 HIGH |
| A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline. | |||||
| CVE-2026-5170 | 1 Mongodb | 1 Mongodb | 2026-04-02 | N/A | 5.3 MEDIUM |
| A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set. This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31. | |||||
| CVE-2026-4358 | 1 Mongodb | 1 Mongodb | 2026-04-02 | N/A | 6.4 MEDIUM |
| A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk. | |||||
| CVE-2026-1847 | 1 Mongodb | 1 Mongodb | 2026-02-25 | N/A | 6.5 MEDIUM |
| Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash. | |||||
| CVE-2026-1848 | 1 Mongodb | 1 Mongodb | 2026-02-25 | N/A | 7.5 HIGH |
| Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header. | |||||
| CVE-2026-1849 | 1 Mongodb | 1 Mongodb | 2026-02-25 | N/A | 6.5 MEDIUM |
| MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression. | |||||
| CVE-2026-1850 | 1 Mongodb | 1 Mongodb | 2026-02-25 | N/A | 6.5 MEDIUM |
| Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash. | |||||
| CVE-2026-25609 | 1 Mongodb | 1 Mongodb | 2026-02-25 | N/A | 5.4 MEDIUM |
| Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only. | |||||
| CVE-2026-25610 | 1 Mongodb | 1 Mongodb | 2026-02-25 | N/A | 6.5 MEDIUM |
| An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints. | |||||
| CVE-2026-25613 | 1 Mongodb | 1 Mongodb | 2026-02-25 | N/A | 6.5 MEDIUM |
| An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index. | |||||
| CVE-2020-7921 | 1 Mongodb | 1 Mongodb | 2026-02-23 | 3.5 LOW | 4.6 MEDIUM |
| Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18. | |||||
| CVE-2019-2390 | 2 Microsoft, Mongodb | 2 Windows, Mongodb | 2026-02-23 | 6.8 MEDIUM | 8.2 HIGH |
| An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22. | |||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2026-02-23 | 6.0 MEDIUM | 7.1 HIGH |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. | |||||
| CVE-2025-14847 | 1 Mongodb | 1 Mongodb | 2026-01-13 | N/A | 7.5 HIGH |
| Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0. | |||||
| CVE-2025-12657 | 1 Mongodb | 1 Mongodb | 2025-12-12 | N/A | 5.0 MEDIUM |
| The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations. | |||||