Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.2
CVE-2026-59509: CVE-Search Exposes MongoDB Collections to Unauthenticated Access
CVE-2026-59509
CVE-2026-59509
Summary
CVE-Search, a tool for searching CVEs, has a flaw that allows attackers to access any MongoDB collection without logging in. This could lead to sensitive data being exposed, including admin usernames and passwords, which could be used to take control of admin accounts. To protect yourself, update CVE-Search to the latest version or consider using a different tool for searching CVEs.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| cve-search | cve-search | <= v6.0.0 |
Original title
Unauthenticated arbitrary MongoDB collection read in cve-search
Original description
An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.
Vulnerability type
CWE-20
Improper Input Validation
CWE-862
Missing Authorization
- https://github.com/cve-search/cve-search/pull/1218 patch
- https://github.com/cve-search/cve-search/issues/1217 exploit technical-description
Published: 5 Jul 2026 · Updated: 5 Jul 2026 · First seen: 5 Jul 2026