|
451
|
6.5 |
MEDIUM
Network
|
-
|
-
|
An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from in…
New
|
CWE-617
Reachable Assertion
|
CVE-2026-9750
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
452
|
6.5 |
MEDIUM
Network
|
-
|
-
|
This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces e…
New
|
CWE-617
Reachable Assertion
|
CVE-2026-9749
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
453
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechani…
New
|
CWE-617
Reachable Assertion
|
CVE-2026-9748
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
454
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server.
New
|
CWE-617
Reachable Assertion
|
CVE-2026-9747
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
455
|
6.5 |
MEDIUM
Network
|
-
|
-
|
When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user m…
New
|
CWE-617
Reachable Assertion
|
CVE-2026-9746
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
456
|
6.5 |
MEDIUM
Network
|
-
|
-
|
In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may derefe…
New
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-9743
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
457
|
7.5 |
HIGH
Network
|
-
|
-
|
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is…
New
|
CWE-1287
Improper Validation of Specified Type of Input
|
CVE-2026-9742
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
458
|
6.5 |
MEDIUM
Network
|
-
|
-
|
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields w…
New
|
CWE-319
Cleartext Transmission of Sensitive Information
|
CVE-2026-9741
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
459
|
7.5 |
HIGH
Network
|
-
|
-
|
A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain n…
New
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-9740
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
460
|
5.5 |
MEDIUM
Local
|
-
|
-
|
MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parame…
New
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-9735
|
2026-06-10 08:17 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
