Filtered by vendor Mongodb
Subscriptions
Filtered by product Mongodb
Subscriptions
Total
90 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6707 | 1 Mongodb | 1 Mongodb | 2026-02-26 | 4.2 Medium |
| Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5. | ||||
| CVE-2025-10491 | 2 Microsoft, Mongodb | 2 Windows, Mongodb | 2026-02-26 | 7.8 High |
| The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5 | ||||
| CVE-2025-11535 | 2 Microsoft, Mongodb | 3 Windows, Connector For Bi, Mongodb | 2026-02-26 | N/A |
| MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24. | ||||
| CVE-2025-11575 | 2 Microsoft, Mongodb | 2 Windows, Mongodb | 2026-02-26 | 7.8 High |
| Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0. | ||||
| CVE-2025-12100 | 1 Mongodb | 2 Connector For Bi, Mongodb | 2026-02-26 | 7.8 High |
| Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.This issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6. | ||||
| CVE-2025-14847 | 1 Mongodb | 1 Mongodb | 2026-02-26 | 7.5 High |
| Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0. | ||||
| CVE-2026-1847 | 1 Mongodb | 1 Mongodb | 2026-02-25 | 6.5 Medium |
| Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash. | ||||
| CVE-2026-1848 | 1 Mongodb | 1 Mongodb | 2026-02-25 | 7.5 High |
| Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header. | ||||
| CVE-2026-1849 | 1 Mongodb | 1 Mongodb | 2026-02-25 | 6.5 Medium |
| MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression. | ||||
| CVE-2026-1850 | 1 Mongodb | 1 Mongodb | 2026-02-25 | 6.5 Medium |
| Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash. | ||||
| CVE-2026-25609 | 1 Mongodb | 1 Mongodb | 2026-02-25 | 5.4 Medium |
| Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only. | ||||
| CVE-2026-25610 | 1 Mongodb | 1 Mongodb | 2026-02-25 | 6.5 Medium |
| An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints. | ||||
| CVE-2026-25613 | 1 Mongodb | 1 Mongodb | 2026-02-25 | 6.5 Medium |
| An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index. | ||||
| CVE-2020-7921 | 1 Mongodb | 1 Mongodb | 2026-02-23 | 4.6 Medium |
| Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18. | ||||
| CVE-2019-2390 | 2 Microsoft, Mongodb | 2 Windows, Mongodb | 2026-02-23 | 8.2 High |
| An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22. | ||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2026-02-23 | 7.1 High |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. | ||||
| CVE-2026-25612 | 1 Mongodb | 1 Mongodb | 2026-02-11 | 6.5 Medium |
| The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks. | ||||
| CVE-2026-25611 | 1 Mongodb | 1 Mongodb | 2026-02-11 | 7.5 High |
| A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server. | ||||
| CVE-2025-12657 | 1 Mongodb | 1 Mongodb | 2025-12-12 | 5 Medium |
| The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations. | ||||
| CVE-2025-13643 | 1 Mongodb | 1 Mongodb | 2025-12-11 | 3.1 Low |
| A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14 | ||||