Every CVE whose affected-product data names Mongodb, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (112)
CVE-2017-15535 — CVSS 9.1 (critical): MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire…
CVE-2026-4148 — CVSS 8.8 (high): A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially…
CVE-2026-8053 — CVSS 8.8 (high): An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger…
CVE-2024-1351 — CVSS 8.8 (high): Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in…
CVE-2026-11933 — CVSS 8.8 (high): A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript…
CVE-2025-0755 — CVSS 8.4 (high): The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that…
CVE-2019-2390 — CVSS 8.2 (high): An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility…
CVE-2026-9753 — CVSS 8.1 (high): The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to…
CVE-2015-7882 — CVSS 8.1 (high): Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized…
CVE-2025-3085 — CVSS 8.1 (high): A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the…
CVE-2025-6713 — CVSS 7.7 (high): An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper…
CVE-2019-20925 — CVSS 7.5 (high): An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message…
CVE-2025-6714 — CVSS 7.5 (high): MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects…
CVE-2017-14227 — CVSS 7.5 (high): In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows…
CVE-2020-7925 — CVSS 7.5 (high): Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to…
CVE-2026-1848 — CVSS 7.5 (high): Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number…
CVE-2026-9742 — CVSS 7.5 (high): When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate"…
CVE-2026-9740 — CVSS 7.5 (high): A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially…
CVE-2025-6710 — CVSS 7.5 (high): MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce…
CVE-2025-6709 — CVSS 7.5 (high): The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when…
CVE-2026-8336 — CVSS 7.5 (high): After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way…
CVE-2025-3083 — CVSS 7.5 (high): Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an…
CVE-2024-3372 — CVSS 7.5 (high): Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed…
CVE-2016-3104 — CVSS 7.5 (high): mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and…
CVE-2024-7553 — CVSS 7.3 (high): Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating…
CVE-2019-2386 — CVSS 7.1 (high): After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist…
CVE-2024-10921 — CVSS 6.8 (medium): An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests…
CVE-2026-9754 — CVSS 6.5 (medium): An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the…
CVE-2013-3969 — CVSS 6.5 (medium): The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service…
CVE-2013-4650 — CVSS 6.5 (medium): MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a…
CVE-2018-20802 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes…
CVE-2018-20803 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely…
CVE-2018-20804 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue…
CVE-2018-20805 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an…
CVE-2019-20923 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled…
CVE-2019-20924 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant…
CVE-2019-2392 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod…
CVE-2019-2393 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and…
CVE-2020-7923 — CVSS 6.5 (medium): A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant…
CVE-2020-7926 — CVSS 6.5 (medium): A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant…
CVE-2020-7928 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries…
CVE-2020-7929 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex…
CVE-2021-20326 — CVSS 6.5 (medium): A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4…
CVE-2021-20330 — CVSS 6.5 (medium): An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries…
CVE-2021-32037 — CVSS 6.5 (medium): An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent…
CVE-2021-32040 — CVSS 6.5 (medium): It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow…
CVE-2022-24272 — CVSS 6.5 (medium): An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database…
CVE-2024-8305 — CVSS 6.5 (medium): prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases…
CVE-2025-10059 — CVSS 6.5 (medium): An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument…
CVE-2025-10060 — CVSS 6.5 (medium): MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an…
CVE-2025-10061 — CVSS 6.5 (medium): An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the…
CVE-2025-13507 — CVSS 6.5 (medium): Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to…
CVE-2025-13644 — CVSS 6.5 (medium): MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the…
CVE-2025-3084 — CVSS 6.5 (medium): When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes…
CVE-2025-6712 — CVSS 6.5 (medium): MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked…
CVE-2025-7259 — CVSS 6.5 (medium): An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to…
CVE-2026-1847 — CVSS 6.5 (medium): Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the…
CVE-2026-1849 — CVSS 6.5 (medium): MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises…
CVE-2026-1850 — CVSS 6.5 (medium): Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
CVE-2026-25610 — CVSS 6.5 (medium): An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
CVE-2026-25613 — CVSS 6.5 (medium): An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
CVE-2026-4147 — CVSS 6.5 (medium): An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the…
CVE-2026-6914 — CVSS 6.5 (medium): Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This…
CVE-2026-8063 — CVSS 6.5 (medium): An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view…
CVE-2026-8199 — CVSS 6.5 (medium): An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear…
CVE-2026-9741 — CVSS 6.5 (medium): A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level…
CVE-2026-9743 — CVSS 6.5 (medium): In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is…
CVE-2026-9746 — CVSS 6.5 (medium): When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server…
CVE-2026-9747 — CVSS 6.5 (medium): Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server.
CVE-2026-9748 — CVSS 6.5 (medium): The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion…
CVE-2026-9749 — CVSS 6.5 (medium): This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and…
CVE-2026-9750 — CVSS 6.5 (medium): An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal…
CVE-2026-9752 — CVSS 6.5 (medium): An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON…
CVE-2012-6619 — CVSS 6.4 (medium): The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of…
CVE-2026-4358 — CVSS 6.4 (medium): A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free…
CVE-2024-8207 — CVSS 6.4 (medium): In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be…
CVE-2026-6915 — CVSS 6.3 (medium): An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related…
CVE-2013-1892 — CVSS 6.0 (medium): MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows…
CVE-2014-8180 — CVSS 5.5 (medium): MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information…
CVE-2021-32039 — CVSS 5.5 (medium): Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary…
CVE-2016-6494 — CVSS 5.5 (medium): The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive…
CVE-2026-9735 — CVSS 5.5 (medium): MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection…
CVE-2026-9751 — CVSS 5.5 (medium): The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in…
CVE-2024-6375 — CVSS 5.4 (medium): A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard…
CVE-2021-32036 — CVSS 5.4 (medium): An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may…
CVE-2026-25609 — CVSS 5.4 (medium): Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only.
CVE-2024-3374 — CVSS 5.3 (medium): An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a…
CVE-2019-2389 — CVSS 5.3 (medium): Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert…
CVE-2021-20333 — CVSS 5.3 (medium): Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split…
CVE-2024-6384 — CVSS 5.3 (medium): "Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue…
CVE-2026-5170 — CVSS 5.3 (medium): A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and…
CVE-2025-11979 — CVSS 5.3 (medium): An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are…
CVE-2023-1409 — CVSS 5.3 (medium): If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already…
CVE-2025-6706 — CVSS 5.0 (medium): An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user…
CVE-2014-3971 — CVSS 5.0 (medium): The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows…
CVE-2025-12657 — CVSS 5.0 (medium): The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid…
CVE-2015-1609 — CVSS 5.0 (medium): MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON…
CVE-2024-8654 — CVSS 5.0 (medium): MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal…
CVE-2018-25004 — CVSS 4.9 (medium): A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find…
CVE-2017-2665 — CVSS 4.8 (medium): The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to…
CVE-2020-7921 — CVSS 4.6 (medium): Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with…
CVE-2025-6711 — CVSS 4.4 (medium): An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error…
CVE-2026-8202 — CVSS 4.3 (medium): Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an…
CVE-2013-2132 — CVSS 4.3 (medium): bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause…
CVE-2025-14345 — CVSS 4.2 (medium): A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical…
CVE-2025-12893 — CVSS 4.2 (medium): Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the…
CVE-2025-6707 — CVSS 4.2 (medium): Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized…
CVE-2025-3082 — CVSS 3.1 (low): A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view…
CVE-2025-13643 — CVSS 3.1 (low): A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other…
CVE-2026-8200 — CVSS 2.7 (low): When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log…