PT-2026-55794 · Cve Search · Cve-Search

Alexandre Dulaunoy

+3

·

Published

2026-07-05

·

Updated

2026-07-05

·

CVE-2026-59509

CVSS v4.0

9.2

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
An unauthenticated improper input validation vulnerability in the POST /fetch cve data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt users collection, enabling offline password cracking and potential administrative account compromise.

Exploit

Fix

RCE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59509

Affected Products

Cve-Search