PT-2026-55794 · Cve Search · Cve-Search

Alexandre Dulaunoy

+3

·

Publicado

2026-07-05

·

Atualizado

2026-07-05

·

CVE-2026-59509

CVSS v4.0

9.2

Crítica

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
An unauthenticated improper input validation vulnerability in the POST /fetch cve data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt users collection, enabling offline password cracking and potential administrative account compromise.

Exploit

Correção

RCE

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-59509

Produtos afetados

Cve-Search