Unauthenticated Input Validation Issue in cve-search
CVE-2026-59509
Key Information:
- Vendor
Cve-search
- Status
- Vendor
- CVE Published:
- 5 July 2026
Badges
What is CVE-2026-59509?
An improper input validation vulnerability exists in the POST /fetch_cve_data endpoint of cve-search. This flaw can be exploited by remote attackers to manipulate request parameters, allowing them to control the MongoDB collection and projected fields, as well as leverage regular-expression filters. By doing so, they can gain unauthorized access to read arbitrary MongoDB collections, which may include sensitive information such as administrative usernames and password hashes from the mgmt_users collection. This could facilitate further attacks, including offline password cracking and the potential compromise of administrative accounts.
Affected Version(s)
cve-search v4.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
