|
3671
|
6.5 |
MEDIUM
Network
|
-
|
-
|
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields w…
|
CWE-319
Cleartext Transmission of Sensitive Information
|
CVE-2026-9741
|
2026-06-11 04:43 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3672
|
7.5 |
HIGH
Network
|
-
|
-
|
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is…
|
CWE-1287
Improper Validation of Specified Type of Input
|
CVE-2026-9742
|
2026-06-11 04:43 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3673
|
6.5 |
MEDIUM
Network
|
-
|
-
|
When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user m…
|
CWE-617
Reachable Assertion
|
CVE-2026-9746
|
2026-06-11 04:43 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3674
|
6.5 |
MEDIUM
Network
|
-
|
-
|
This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces e…
|
CWE-617
Reachable Assertion
|
CVE-2026-9749
|
2026-06-11 04:43 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3675
|
6.5 |
MEDIUM
Network
|
-
|
-
|
An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS.
Strict-wi…
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-9752
|
2026-06-11 04:43 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3676
|
8.1 |
HIGH
Network
|
-
|
-
|
The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApply…
|
CWE-1287
Improper Validation of Specified Type of Input
|
CVE-2026-9753
|
2026-06-11 04:43 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3677
|
6.5 |
MEDIUM
Network
|
-
|
-
|
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command
|
CWE-457
Use of Uninitialized Variable
|
CVE-2026-9754
|
2026-06-11 04:43 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3678
|
5.4 |
MEDIUM
Network
|
microsoft
|
sharepoint_server
|
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
|
CWE-79
Cross-site Scripting
|
CVE-2026-45479
|
2026-06-11 04:42 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3679
|
6.1 |
MEDIUM
Network
|
-
|
-
|
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in …
|
CWE-79
Cross-site Scripting
|
CVE-2026-32856
|
2026-06-11 04:41 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3680
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HT…
|
CWE-79
Cross-site Scripting
|
CVE-2026-25557
|
2026-06-11 04:41 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
