These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-11933 is a use-after-free vulnerability in MongoDB Server's server-side JavaScript engine. An authenticated user with read privileges who can run server-side JavaScript can cause the server to access memory that has already been freed, potentially resulting in disclosure of information from the mongod process memory or a denial of service through a server crash.
CVE-2026-9754 is a vulnerability affecting an unspecified product from an unknown vendor. An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.
The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.
CVE-2026-9752 is a HIGH severity vulnerability with a CVSS score of 7.1. An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. This occurs because the guard that rejects strict-winding polygons does not inspect members of a GeometryCollection, allowing the unsafe path to b [truncated]
CVE-2026-9751 is a medium-severity vulnerability in MongoDB. The ldapQueryPassword parameter, when set through the runtime setParameter command, logs the new password to the mongod.log file in plain text. This issue was published on [CVE.org](resourceLinkAnnotations:cve-org) on 2026-06-09 and has a CVSS score of 6.8.
CVE-2026-9750 is a HIGH-severity vulnerability (CVSS Score: 7.1) affecting an unknown vendor and product. An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.
CVE-2026-9749 is a HIGH severity vulnerability with a CVSS score of 7.1. The issue occurs when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer, the server reaches the code path where a full per-consumer buffer is detected but the internal [truncated]
CVE-2026-9748 is a HIGH severity vulnerability in MongoDB. The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal 'skip this document' when an index stats conversion failed. However, PauseExecution is not a general-purpose skip mechanism but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pip [truncated]
CVE-2026-9747 is a HIGH severity vulnerability with a CVSS score of 7.1. The vulnerability is caused by adding 'fromRouter:true' and 'runtimeConstants.userRoles' which could cause aggregations to crash the MongoDB server. The CVE was published on 2026-06-09 and last modified on 2026-06-10.
CVE-2026-9746 is a HIGH severity vulnerability in MongoDB that causes the server to crash when using $changestreams and $_requestReshardingResumeToken with the exchange option. The user must be logged in to issue the statement, but no special privileges are needed. The vulnerability has a CVSS score of 7.1.
CVE-2026-9743 is a HIGH severity vulnerability in MongoDB Server 8.0. An aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated [truncated]
CVE-2026-9742 is a high-severity vulnerability with a CVSS score of 8.2. When OIDC authentication is enabled, clients can set specific values in the 'mechanism' parameter of the 'authenticate' command, causing a server crash. This command is accessible to unauthenticated clients, leading to potential pre-auth denial-of-service in affected product configurations. The CVE was published on [cvePublishedAt](h [truncated]
CVE-2026-9741 is a HIGH severity vulnerability in MongoDB's query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE). A bug in this process results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext. This issue was published o [truncated]
A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.
CVE-2026-9735 is a medium severity vulnerability (CVSS Score: 6.8) that affects MongoDB server. The vulnerability may log authentication parameters, including credentials, to the server log during SASL authentication when connection health metric logging is enabled. The full authentication parameters are written to the log without redaction.
CVE-2026-8336 is a post-authentication denial-of-service issue in MongoDB Server. According to the vendor/NVD description, an authenticated user can trigger a mongod crash after invoking certain internal or mapreduce-related JavaScript paths, and then using server-side JavaScript features such as $where, $function, or mapreduce reduce-stage behavior in a specific way. MongoDB Server v8.2 before 8.2.9 and [truncated]
CVE-2026-8202 is a denial-of-service issue in MongoDB Server where a densely populated chars mask combined with a large input string in the aggregation operators $trim, $ltrim, and $rtrim can pin CPU utilization at 100% for an extended period. The issue was published on 2026-05-13 and last modified by NVD on 2026-05-18. MongoDB versions affected are 7.0 before 7.0.34, 8.0 before 8.0.23, 8.2 before 8.2.9, [truncated]
CVE-2026-8200 is a MongoDB Server information-disclosure issue in which a local server log message generated during a schema validation failure may not fully redact user data. The issue affects MongoDB Server v7.0 prior to 7.0.34, v8.0 prior to 8.0.23, v8.2 prior to 8.2.9, and v8.3 prior to 8.3.2. The practical concern is leakage of sensitive fields into server logs when an insert or update violates colle [truncated]
CVE-2026-8053 affects MongoDB Server’s time-series collection implementation and can be triggered by an authenticated user with database write privileges. The flaw is an out-of-bounds memory write in the mongod process caused by an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. MongoDB and NVD both indicate that, under certain conditions, the issue can lea [truncated]
CVE-2025-14847 is a MongoDB and MongoDB Server vulnerability described as an improper handling of length parameter inconsistency issue. CISA has placed it in the Known Exploited Vulnerabilities catalog, which means defenders should treat it as actively important and prioritize mitigation based on vendor guidance.
CVE-2019-10758 is a MongoDB mongo-express remote code execution vulnerability that CISA has included in its Known Exploited Vulnerabilities catalog. That KEV listing means there is authoritative evidence of active exploitation risk, so this issue should be treated as a high-priority remediation item. The supplied CISA record specifies the required action as applying updates per vendor instructions.