Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package mongoose, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2019-17426 — CVSS 9.1 (critical): Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a…
CVE-2025-23061 — CVSS 9.0 (critical): Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue…
CVE-2026-42334 — CVSS 7.5 (high): Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a…
CVE-2022-24304: Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-2564. Reason: This candidate is a duplicate of CVE-2022-2564…