CVE-2026-59509

N/A Unknown
Published: July 05, 2026 Modified: July 05, 2026
View on NVD

Description

An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/cve-search/cve-search/issues/1217
Source: 5a6e4751-2f3f-4070-9419-94fb35b644e8
https://github.com/cve-search/cve-search/pull/1218
Source: 5a6e4751-2f3f-4070-9419-94fb35b644e8

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)