CVE-2026-42334

216.73.217.22

· Published 14/05/2026 18:16 · Modified 15/05/2026 18:25

Labels: CVE-2026-42334 2026-05-14 CVE-2026-42334 CWE-74 [email protected]

Essential information

Published: 14/05/2026 18:16
Modified: 15/05/2026 18:25
Author: —
Creator: —
CVSS: 7.5 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.

NVD status

Status: Analyzed — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
mongoosejs / mongoose	`cpe:2.3:a:mongoosejs:mongoose::::::node.js::*`
mongoosejs / mongoose	`cpe:2.3:a:mongoosejs:mongoose::::::node.js::*`
mongoosejs / mongoose	`cpe:2.3:a:mongoosejs:mongoose::::::node.js::*`
mongoosejs / mongoose	`cpe:2.3:a:mongoosejs:mongoose::::::node.js::*`