cbcvebase.

Mongodb Inc Mongodb Server vulnerabilities

82 known vulnerabilities affecting mongodb_inc/mongodb_server.

Total CVEs
82
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH29MEDIUM50

Vulnerabilities

Page 1 of 5
CVE-2025-14847P1HIGHCVSS 7.5KEVPoC≥ 8.2, < 8.2.3≥ 8.0, < 8.0.17+7 more2025-12-19
CVE-2025-14847 [HIGH] CWE-130 CVE-2025-14847: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Ser
nvd
CVE-2026-8053P2HIGHCVSS 8.8≥ 5.0, < 5.0.33≥ 6.0, < 6.0.28+4 more2026-05-13
CVE-2026-8053 [HIGH] CWE-787 CVE-2026-8053: An issue in MongoDB Server's time-series collection implementation allows an authenticated user with An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result
nvd
CVE-2025-3085P3CRITICALCVSS 9.8≥ 5.0, < 5.0.31≥ 6.0, < 6.0.20+2 more2025-04-01
CVE-2025-3085 [CRITICAL] CWE-299 CVE-2025-3085: A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status check A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-c
nvd
CVE-2026-8201P3HIGHCVSS 8.8≥ 7.0, < 7.0.34≥ 8.0, < 8.0.23+2 more2026-05-13
CVE-2026-8201 [HIGH] CWE-416 CVE-2026-8201: A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis compo A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query. This issue impacts MongoDB Server’s mongocryptd component v7.0 versions prior to 7.0.34,
nvd
CVE-2024-1351P3CRITICALCVSS 9.8≥ 7.0, ≤ 7.0.5≥ 6.0, ≤ 6.0.13+2 more2024-03-07
CVE-2024-1351 [CRITICAL] CWE-295 CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB S
nvd
CVE-2025-6706P3HIGHCVSS 8.8≥ 6.0, < 6.0.21≥ 7.0, < 7.0.17+1 more2025-06-26
CVE-2025-6706 [HIGH] CWE-416 CVE-2025-6706: An authenticated user may trigger a use after free that may result in MongoDB Server crash and other An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expression
nvd
CVE-2024-8654P3CRITICALCVSS 9.8v6.0.32024-09-10
CVE-2024-8654 [CRITICAL] CWE-908 CVE-2024-8654: MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.
nvd
CVE-2026-4148P3HIGHCVSS 8.8≥ 8.2, < 8.2.6≥ 8.0, < 8.0.20+1 more2026-03-17
CVE-2026-4148 [HIGH] CWE-416 CVE-2026-4148: A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with th A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
nvd
CVE-2024-10921P3HIGHCVSS 8.1≥ 5.0, < 5.0.30≥ 6.0, < 6.0.19+2 more2024-11-14
CVE-2024-10921 [HIGH] CWE-158 CVE-2024-10921: An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and
nvd
CVE-2026-4358P3HIGHCVSS 7.5≥ 8.2, < 8.2.6≥ 8.0, < 8.0.20+1 more2026-03-17
CVE-2026-4358 [HIGH] CWE-415 CVE-2026-4358: A specially crafted aggregation query with $lookup by an authenticated user with write privileges ca A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
nvd
CVE-2026-25611P3HIGHCVSS 7.5≥ 8.2, < 8.2.4≥ 8.0, < 8.0.18+1 more2026-02-10
CVE-2026-25611 [HIGH] CWE-405 CVE-2026-25611: A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.
nvd
CVE-2019-20925P3HIGHCVSS 7.5≥ 4.2, < 4.2.1≥ 4.0, < 4.0.13+2 more2020-11-24
CVE-2019-20925 [HIGH] CWE-839 CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol m An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v
nvd
CVE-2025-3083P3HIGHCVSS 7.5≥ 5.0, < 5.0.31≥ 6.0, < 6.0.20+1 more2025-04-01
CVE-2025-3083 [HIGH] CWE-248 CVE-2025-3083: Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validat Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16
nvd
CVE-2025-10060P3HIGHCVSS 7.5≥ 6.0, < 6.0.25≥ 7.0, < 7.0.22+1 more2025-09-05
CVE-2025-10060 [HIGH] CWE-672 CVE-2025-10060: MongoDB Server may allow upsert operations retried within a transaction to violate unique index cons MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions pri
nvd
CVE-2020-7925P3HIGHCVSS 7.5≥ 4.2, < 4.2.9≥ 4.4, < 4.4.0-rc122020-11-23
CVE-2020-7925 [HIGH] CWE-475 CVE-2020-7925: Incorrect validation of user input in the role name parser may lead to use of uninitialized memory a Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 versions prior to 4.2.9.
nvd
CVE-2024-7553P3HIGHCVSS 7.8≥ 5.0, < 5.0.27≥ 6.0, < 6.0.16+2 more2024-08-07
CVE-2024-7553 [HIGH] CWE-284 CVE-2024-7553: Incorrect validation of files loaded from a local untrusted directory may allow local privilege esca Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 ver
nvd
CVE-2024-3372P3HIGHCVSS 7.5≥ 5.0, < 5.0.25≥ 6.0, < 6.0.14+1 more2024-05-14
CVE-2024-3372 [HIGH] CWE-20 CVE-2024-3372: Improper validation of certain metadata input may result in the server not correctly serialising BSO Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and M
nvd
CVE-2025-6710P3HIGHCVSS 7.5≥ 6.0, < 6.0.21≥ 7.0, < 7.0.17+1 more2025-06-26
CVE-2025-6710 [HIGH] CWE-674 CVE-2025-6710: MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specificall MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Serv
nvd
CVE-2025-13644P3HIGHCVSS 7.5≥ 8.0, < 8.0.13≥ 7.0, < 7.0.26+1 more2025-11-25
CVE-2025-13644 [HIGH] CWE-617 CVE-2025-13644: MongoDB Server may experience an invariant failure during batched delete operations when handling do MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versi
nvd
CVE-2021-32040P3HIGHCVSS 7.5≥ 5.0, < 5.0.4≥ 4.4, ≤ 4.4.28+1 more2022-04-12
CVE-2021-32040 [HIGH] CWE-121 CVE-2021-32040: It may be possible to have an extremely long aggregation pipeline in conjunction with a specific sta It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4
nvd
Mongodb Inc Mongodb Server vulnerabilities | cvebase