📦

mongodb

Vendor: mongodb

Actively Exploited 1 CISA KEV List

PoC / Exploits 4 Code Available

Total RCEs 3 Remote Access

Total CVEs 214 Total Indexed

Avg. EPSS 1.57% Exploit Prob.

Latest CVE CVE-2026-8336 May 13

Security Vulnerability Index

Page 9 / 22

8.2 CVSS

CVE-2019-2390

RCE

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.

EPSS: 0.38%

Severity: HIGH

Aug 30, 2019

5.3 CVSS

CVE-2019-2389

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.

EPSS: 0.12%

Severity: MEDIUM

Aug 30, 2019

7.1 CVSS

CVE-2019-2386

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.

EPSS: 0.41%

Severity: HIGH

Aug 06, 2019

8.1 CVSS

CVE-2015-7882

Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.

EPSS: 0.77%

Severity: HIGH

Jul 19, 2019

4.8 CVSS

CVE-2017-2665

The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text.

EPSS: 0.04%

Severity: MEDIUM

Jul 06, 2018

9.1 CVSS

CVE-2017-15535

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.

EPSS: 0.48%

Severity: CRITICAL

Nov 01, 2017

7.5 CVSS

CVE-2017-14227

In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.

EPSS: 1.38%

Severity: HIGH

Sep 09, 2017

5.5 CVSS

CVE-2014-8180

MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.

EPSS: 0.05%

Severity: MEDIUM

Jun 06, 2017

7.5 CVSS

CVE-2016-3104

mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.

EPSS: 1.58%

Severity: HIGH

Apr 14, 2017

5.5 CVSS

CVE-2016-6494

The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files.

EPSS: 0.07%

Severity: MEDIUM

Oct 03, 2016

Displaying 10 of 214 Total Entries

7 8 9 10 11 ... 22

Total 22 Sections