CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The ldapQueryPassword parameter, when set through the runtime setParameter command, logs the new password to the mongod.log file in plain text.
An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.
The vulnerability occurs when running an aggregation pipeline using the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer, the server does not update the internal 'high watermark' for that key range as intended.
The $_internalConvertBucketIndexStats stage used PauseExecution to signal 'skip this document' when an index stats conversion failed. However, PauseExecution is not a general-purpose skip mechanism, leading to mongod crashes when this stage is placed before $facet in a pipeline.
Adding fromRouter:true and runtimeConstants.userRoles could cause MongoDB server crashes during aggregations.
Using $changestreams and $_requestReshardingResumeToken with the exchange option causes the server to crash due to hitting an invariant. The user must be logged in to issue the statement.
In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline, leading to a process crash.
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions being sent to the server as plaintext instead of ciphertext.
The MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.
In lldpd prior to version 1.0.22, there is a bug in the lldpd_decode() function that leads to a heap buffer over-read. This issue arises from incorrect byte count calculation, which may result in memory violations.
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition.
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition.
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition.
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition.
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by a 'Path Traversal' vulnerability that allows arbitrary file system writes. An attacker could exploit this vulnerability to write to unauthorized files or directories outside of intended restrictions.
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. This can be exploited by injecting malicious content through the project request parameter in oscal-forms.php.
OpenClinic GA version 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser. Attackers can craft a DICOM file with malicious payloads in metadata fields that are reflected without sanitization.
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information, requiring user interaction in that a victim must open a malicious file.
ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information.

