CVE-2019-17426 — CVSS 9.1 (critical): Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a…
CVE-2025-23061 — CVSS 9.0 (critical): Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue…
CVE-2026-42334 — CVSS 7.5 (high): Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a…