๐Ÿ” CVE Alert

CVE-2026-59509

UNKNOWN 0.0

Unauthenticated arbitrary MongoDB collection read in cve-search

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
27th

An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.

CWE CWE-20
Vendor cve-search
Product cve-search
Published Jul 5, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for cve-search cve-search

Be the first to know when new unknown vulnerabilities affecting cve-search cve-search are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

cve-search / cve-search
v4.0 โ‰ค v6.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/cve-search/cve-search/pull/1218 github.com: https://github.com/cve-search/cve-search/issues/1217

Credits

George Chen Esa Jokinen P-T-I Alexandre Dulaunoy