PT-2026-55794 · Cve Search · Cve-Search
Alexandre Dulaunoy
+3
·
Published
2026-07-05
·
Updated
2026-07-05
·
CVE-2026-59509
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
An unauthenticated improper input validation vulnerability in the POST /fetch cve data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt users collection, enabling offline password cracking and potential administrative account compromise.
Exploit
Fix
RCE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cve-Search