CVE-2026-59509
9.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Summary
An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| cve-search | cve-search | v4.0 <= v6.0.0 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
References
- https://github.com/cve-search/cve-search/pull/1218
- https://github.com/cve-search/cve-search/issues/1217
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.