Every CVE whose affected-product data names Cesanta Mongoose, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (47)
CVE-2018-20354 — CVSS 9.8 (critical): An invalid read of 8 bytes due to a use-after-free vulnerability during a "return" in the mg_http_get_proto_data function in mongoose.c in…
CVE-2018-20355 — CVSS 9.8 (critical): An invalid write of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in Cesanta…
CVE-2022-25299 — CVSS 9.8 (critical): This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may…
CVE-2017-2894 — CVSS 9.8 (critical): An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially…
CVE-2020-25756 — CVSS 9.8 (critical): A buffer overflow vulnerability exists in the mg_get_http_header function in Cesanta Mongoose 6.18 due to a lack of bounds checking. A…
CVE-2019-19307 — CVSS 9.8 (critical): An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infinite loop), or…
CVE-2017-2921 — CVSS 9.8 (critical): An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted…
CVE-2017-2922 — CVSS 9.8 (critical): An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted…
CVE-2019-12951 — CVSS 9.8 (critical): An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.
CVE-2017-2892 — CVSS 9.8 (critical): An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially…
CVE-2017-2891 — CVSS 9.8 (critical): An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request…
CVE-2018-20356 — CVSS 9.8 (critical): An invalid read of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in Cesanta…
CVE-2018-20353 — CVSS 9.8 (critical): An invalid read of 8 bytes due to a use-after-free vulnerability during a "NULL test" in the mg_http_get_proto_data function in mongoose.c…
CVE-2018-18765 — CVSS 9.1 (critical): An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a…
CVE-2018-18764 — CVSS 9.1 (critical): An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a…
CVE-2021-26528 — CVSS 9.1 (critical): The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connection request after…
CVE-2021-26529 — CVSS 9.1 (critical): The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB…
CVE-2021-26530 — CVSS 9.1 (critical): The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB write attack via…
CVE-2023-2905 — CVSS 8.8 (high): Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an…
CVE-2020-25887 — CVSS 8.8 (high): Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.
CVE-2017-2895 — CVSS 8.2 (high): An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially…
CVE-2024-42386 — CVSS 8.2 (high): Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet…
CVE-2017-2909 — CVSS 7.5 (high): An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request…
CVE-2017-2893 — CVSS 7.5 (high): An exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT…
CVE-2023-34188 — CVSS 7.5 (high): The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload…
CVE-2024-42384 — CVSS 7.5 (high): Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and…
CVE-2025-51495 — CVSS 7.5 (high): An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket…
CVE-2018-10945 — CVSS 7.5 (high): The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read…
CVE-2026-5244 — CVSS 7.3 (high): A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the…
CVE-2026-5245 — CVSS 5.6 (medium): A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the…
CVE-2026-5246 — CVSS 5.6 (medium): A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c…
CVE-2024-42389 — CVSS 5.3 (medium): Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet…
CVE-2026-6985 — CVSS 5.3 (medium): A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file…
CVE-2024-42387 — CVSS 5.3 (medium): Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet…
CVE-2024-42388 — CVSS 5.3 (medium): Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet…
CVE-2025-65502 — CVSS 4.3 (medium): Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS…
CVE-2024-42390 — CVSS 4.3 (medium): Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet…
CVE-2024-42391 — CVSS 4.3 (medium): Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet…
CVE-2024-42383 — CVSS 4.2 (medium): Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory…
CVE-2024-42385 — CVSS 4.0 (medium): Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if…
CVE-2024-42392 — CVSS 4.0 (medium): Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the…
CVE-2026-2967 — CVSS 3.7 (low): A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c…
CVE-2026-2966 — CVSS 3.7 (low): A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of…
CVE-2026-6986 — CVSS 3.7 (low): A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file…
CVE-2026-2968 — CVSS 3.7 (low): A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file…