PT-2026-55794 · Cve Search · Cve-Search
Alexandre Dulaunoy
+3
·
Publicado
2026-07-05
·
Atualizado
2026-07-05
·
CVE-2026-59509
CVSS v4.0
9.2
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
An unauthenticated improper input validation vulnerability in the POST /fetch cve data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt users collection, enabling offline password cracking and potential administrative account compromise.
Exploit
Correção
RCE
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Cve-Search