CVE-2026-42334
published 2026-05-14CVE-2026-42334: Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.27%
19.1th percentile
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automattic | mongoose | < 6.13.9 | 6.13.9 |
| automattic | mongoose | — | — |
| automattic | mongoose | — | — |
| automattic | mongoose | — | — |
| cesanta | mongoose | >= 0 < 6.13.9 | 6.13.9 |
| cesanta | mongoose | >= 7.0.0 < 7.8.9 | 7.8.9 |
| cesanta | mongoose | >= 8.0.0 < 8.22.1 | 8.22.1 |
| cesanta | mongoose | >= 9.0.0 < 9.1.6 | 9.1.6 |
| mongoosejs | mongoose | < 6.13.9 | 6.13.9 |
| mongoosejs | mongoose | >= 7.0.0 < 7.8.9 | 7.8.9 |
| mongoosejs | mongoose | >= 8.0.0 < 8.22.1 | 8.22.1 |
| mongoosejs | mongoose | >= 9.0.0 < 9.1.6 | 9.1.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2026-05-14
Published