Unauthenticated Input Validation Issue in cve-search
CVE-2026-59509

9.2CRITICAL

Key Information:

Vendor

Cve-search

Vendor
CVE Published:
5 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-59509?

An improper input validation vulnerability exists in the POST /fetch_cve_data endpoint of cve-search. This flaw can be exploited by remote attackers to manipulate request parameters, allowing them to control the MongoDB collection and projected fields, as well as leverage regular-expression filters. By doing so, they can gain unauthorized access to read arbitrary MongoDB collections, which may include sensitive information such as administrative usernames and password hashes from the mgmt_users collection. This could facilitate further attacks, including offline password cracking and the potential compromise of administrative accounts.

Affected Version(s)

cve-search v4.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
Esa Jokinen
P-T-I
Alexandre Dulaunoy
.