Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.2

CVE-2026-59509: CVE-Search Exposes MongoDB Collections to Unauthenticated Access

CVE-2026-59509 CVE-2026-59509
Summary

CVE-Search, a tool for searching CVEs, has a flaw that allows attackers to access any MongoDB collection without logging in. This could lead to sensitive data being exposed, including admin usernames and passwords, which could be used to take control of admin accounts. To protect yourself, update CVE-Search to the latest version or consider using a different tool for searching CVEs.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versions
cve-search cve-search <= v6.0.0
Original title
Unauthenticated arbitrary MongoDB collection read in cve-search
Original description
An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.
Vulnerability type
CWE-20 Improper Input Validation
CWE-862 Missing Authorization
Published: 5 Jul 2026 · Updated: 5 Jul 2026 · First seen: 5 Jul 2026