CVE Catalog

CVE-2026-59509

CriticalCVSS 9.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile — higher than 27% of all known CVEs

Summary

An unauthenticated improper input validation vulnerability in cve-search allows an attacker to manipulate request parameters in the POST /fetch_cve_data endpoint, enabling reading arbitrary MongoDB collections including mgmt_users with admin usernames and password hashes.

Risk Assessment

The risk includes offline password cracking and potential administrative account takeover, leading to full system and data compromise.

Recommendation

Immediately update cve-search to the latest patched version and restrict access to the /fetch_cve_data endpoint to authenticated users only.

Original NVD description (English source)

An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS