CVE-2026-59509
Unauthenticated arbitrary MongoDB collection read in cve-search
CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
27th
An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.
| CWE | CWE-20 |
| Vendor | cve-search |
| Product | cve-search |
| Published | Jul 5, 2026 |
| Last Updated | Jul 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for cve-search cve-search
Be the first to know when new unknown vulnerabilities affecting cve-search cve-search are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
cve-search / cve-search
v4.0 โค v6.0.0
References
Credits
George Chen Esa Jokinen P-T-I Alexandre Dulaunoy