cbcvebase.

Mongodb Inc Mongodb Server vulnerabilities

82 known vulnerabilities affecting mongodb_inc/mongodb_server.

Total CVEs
82
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH29MEDIUM50

Vulnerabilities

Page 2 of 5
CVE-2025-10491P3HIGHCVSS 7.8≥ 6.0, < 6.0.25≥ 7.0, < 7.0.21+1 more2025-09-15
CVE-2025-10491 [HIGH] CWE-284 CVE-2025-10491: The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowin The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5
nvd
CVE-2025-0755P3HIGHCVSS 7.5≥ 8.0, < 8.0.1≥ 7.0, < 7.0.162025-03-18
CVE-2025-0755 [HIGH] CWE-122 CVE-2025-0755: The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overf The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB
nvd
CVE-2025-6709P3HIGHCVSS 7.5≥ 7.0, < 7.0.17≥ 8.0, < 8.0.5+1 more2025-06-26
CVE-2025-6709 [HIGH] CWE-20 CVE-2025-6709: The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of s The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.1
nvd
CVE-2023-1409P3HIGHCVSS 7.5≥ 6.3, ≤ 6.3.2≥ 5.0, ≤ 5.0.14+1 more2023-08-23
CVE-2023-1409 [HIGH] CWE-295 CVE-2023-1409: If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of co If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies an
nvd
CVE-2025-6714P3HIGHCVSS 7.5≥ 6.0, < 6.0.23≥ 7.0, < 7.0.20+1 more2025-07-07
CVE-2025-6714 [HIGH] CWE-400 CVE-2025-6714: MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handli MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9 Required Configuration: This affec
nvd
CVE-2020-7928P3MEDIUMCVSS 6.5≥ 4.4, < 4.4.1≥ 4.2, < 4.2.9+2 more2020-11-23
CVE-2020-7928 [MEDIUM] CWE-158 CVE-2020-7928: A user authorized to perform database queries may trigger a read overrun and access arbitrary memory A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20.
nvd
CVE-2025-6713P3MEDIUMCVSS 6.5≥ 6.0, < 6.0.22≥ 7.0, < 7.0.19+1 more2025-07-07
CVE-2025-6713 [MEDIUM] CWE-285 CVE-2025-6713: An unauthorized user may leverage a specially crafted aggregation pipeline to access data without pr An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 v
nvd
CVE-2026-1849P3HIGHCVSS 7.5≥ 8.0, < 8.0.18≥ 7.0, < 7.0.29+1 more2026-02-10
CVE-2026-1849 [HIGH] CWE-674 CVE-2026-1849: MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce dee MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
nvd
CVE-2026-1848P3HIGHCVSS 7.5≥ 8.2, < 8.2.4≥ 8.0, < 8.0.18+1 more2026-02-10
CVE-2026-1848 [HIGH] CWE-770 CVE-2026-1848: Connections received from the proxy port may not count towards total accepted connections, resulting Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header.
nvd
CVE-2026-1850P3HIGHCVSS 7.5≥ 8.0, < 8.0.18≥ 8.2, < 8.2.42026-02-10
CVE-2026-1850 [HIGH] CWE-770 CVE-2026-1850: Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Mem Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
nvd
CVE-2026-8336P3MEDIUMCVSS 6.5≥ 8.2, < 8.2.9≥ 8.3, < 8.3.22026-05-13
CVE-2026-8336 [MEDIUM] CWE-416 CVE-2026-8336: After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce comma After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication d
nvd
CVE-2019-2390P3HIGHCVSS 7.8≥ 4.0, < 4.0.11≥ 3.6, < 3.6.14+1 more2019-08-30
CVE-2019-2390 [HIGH] CWE-94 CVE-2019-2390: An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server
nvd
CVE-2026-1847P3HIGHCVSS 7.5≥ 8.0, < 8.0.18≥ 7.0, < 7.0.292026-02-10
CVE-2026-1847 [HIGH] CWE-770 CVE-2026-1847: Inserting certain large documents into a replica set could lead to replica set secondaries not being Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.
nvd
CVE-2021-32036P3HIGHCVSS 7.1≥ 5.0, ≤ 5.0.3≥ 4.4, ≤ 4.4.9+2 more2022-02-04
CVE-2021-32036 [HIGH] CWE-770 CVE-2021-32036: An authenticated user without any specific authorizations may be able to repeatedly invoke the featu An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions. This issue affects MongoDB Server v5.0 versions prior to and
nvd
CVE-2018-20803P3MEDIUMCVSS 6.5≥ 4.0, < 4.0.5≥ 3.6, < 3.6.10+1 more2020-11-23
CVE-2018-20803 [MEDIUM] CWE-835 CVE-2018-20803: A user authorized to perform database queries may trigger denial of service by issuing specially cra A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5; MongoDB Server v3.6 versions prior to 3.6.10 and MongoDB Server v3.4 versions prior to 3.4.19.
nvd
CVE-2025-10061P3MEDIUMCVSS 6.5≥ 6.0, < 6.0.25≥ 7.0, < 7.0.22+2 more2025-09-05
CVE-2025-10061 [MEDIUM] CWE-20 CVE-2025-10061: An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affec
nvd
CVE-2025-6712P3MEDIUMCVSS 6.5≥ 8.0, < 8.0.102025-07-07
CVE-2025-6712 [MEDIUM] CWE-400 CVE-2025-6712: MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server sta
nvd
CVE-2026-8202P3MEDIUMCVSS 6.5≥ 7.0, < 7.0.34≥ 8.0, < 8.0.23+2 more2026-05-13
CVE-2026-8202 [MEDIUM] CWE-770 CVE-2026-8202: Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $ Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions p
nvd
CVE-2026-8199P3MEDIUMCVSS 6.5≥ 7.0, < 7.0.34≥ 8.0, < 8.0.23+2 more2026-05-13
CVE-2026-8199 [MEDIUM] CWE-1325 CVE-2026-8199: An authenticated user can cause excess memory usage via bitwise match expression AST processing of $ An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prio
nvd
CVE-2025-10059P3MEDIUMCVSS 6.5≥ 6.0, < 6.0.24≥ 7.0, < 7.0.18+1 more2025-09-05
CVE-2025-10059 [MEDIUM] CWE-732 CVE-2025-10059: An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. Thi An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.
nvd
Mongodb Inc Mongodb Server vulnerabilities | cvebase