Mongoose
This hub aggregates every CVE we track for Mongoose, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
57
CVEs tracked
23
Critical
14
High
0
In CISA KEV
Severity distribution
CRITICAL23MEDIUM16HIGH14LOW4
Monthly trend
0
0
0
0
10
1
1
0
0
0
0
0
0
0
1
0
1
0
0
3
0
5
1
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Mongoose.
- CVE-2026-42334Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection7.5
- CVE-2026-6986Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification3.7
- CVE-2026-6985Cesanta Mongoose TCP Option net_builtin.c handle_opt infinite loop5.3
- CVE-2026-5246Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization5.6
- CVE-2026-5245Cesanta Mongoose mDNS Record mongoose.c handle_mdns_record stack-based overflow5.6
- CVE-2026-5244Cesanta Mongoose TLS 1.3 mongoose.c mg_tls_recv_cert heap-based overflow7.3
- CVE-2026-2968Cesanta Mongoose Poly1305 Authentication Tag tls_chacha20.c mg_chacha20_poly1305_decrypt signature verification3.7
- CVE-2026-2967Cesanta Mongoose TCP Sequence Number net_builtin.c getpeer verification of source3.7
- CVE-2026-2966Cesanta Mongoose DNS Transaction ID dns.c mg_sendnsreq random values3.7
- CVE-2025-65502Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.4.3
- CVE-2025-51495An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If d...7.5
- CVE-2025-23061Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.9.0
- CVE-2024-53900Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.9.1
- CVE-2024-42392Improper Neutralization of Delimiters in Mongoose Web Server library4.0
- CVE-2024-42391Use of Out-of-range Pointer Offset in Mongoose Web Server library4.3
Product normalization is registry-driven with AI assist and human review. How it works