threat
engine
.sh
Back
·
··:··
Home
/
Product
/
cesanta mongoose
Product
cesanta mongoose
57 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-42334
< 6.13.9
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.
7.5
HIGH
CVE-2026-6986
>= 7.0 and < 7.21
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of t
3.7
LOW
CVE-2026-6985
>= 7.0 and < 7.21
A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src
5.3
MEDIUM
CVE-2026-5246
>= 7.0 and < 7.21
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file m
5.6
MEDIUM
CVE-2026-5245
>= 7.0 and < 7.21
A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of t
5.6
MEDIUM
CVE-2026-5244
>= 7.0 and < 7.21
A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c o
7.3
HIGH
CVE-2026-2968
<= 7.20
A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /s
3.7
LOW
CVE-2026-2967
<= 7.20
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_
3.7
LOW
CVE-2026-2966
<= 7.20
A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/
3.7
LOW
CVE-2025-65502
< 7.2
Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via
4.3
MEDIUM
CVE-2025-51495
>= 7.5 and <= 7.17
An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebS
7.5
HIGH
CVE-2025-23061
< 6.13.6
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this i
9.0
CRITICAL
CVE-2024-53900
< 6.13.5
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
9.1
CRITICAL
CVE-2024-42392
<= 7.14
Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if
4.0
MEDIUM
CVE-2024-42391
<= 7.14
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS
4.3
MEDIUM
CVE-2024-42390
<= 7.14
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS
4.3
MEDIUM
CVE-2024-42389
<= 7.14
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS
5.3
MEDIUM
CVE-2024-42388
<= 7.14
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS
5.3
MEDIUM
CVE-2024-42387
<= 7.14
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS
5.3
MEDIUM
CVE-2024-42386
<= 7.14
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS
8.2
HIGH
CVE-2024-42385
<= 7.14
Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory
4.0
MEDIUM
CVE-2024-42384
<= 7.14
Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS pac
7.5
HIGH
CVE-2024-42383
<= 7.14
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the
4.2
MEDIUM
CVE-2020-25887
all versions
Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.
8.8
HIGH
CVE-2023-2905
all versions
Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mo
8.8
HIGH
CVE-2023-3696
< 5.13.20
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
9.8
CRITICAL
CVE-2023-34188
< 7.10
The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack pa
7.5
HIGH
CVE-2022-2564
< 5.13.15
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
9.8
CRITICAL
CVE-2022-25299
< 7.6
This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() metho
9.8
CRITICAL
CVE-2021-26530
all versions
The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB write at
9.1
CRITICAL
CVE-2021-26529
>= 6.7 and <= 6.18
The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote
9.1
CRITICAL
CVE-2021-26528
all versions
The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connection reques
9.1
CRITICAL
CVE-2020-25756
all versions
A buffer overflow vulnerability exists in the mg_get_http_header function in Cesanta Mongoose 6.18 due to a lack of bounds checkin
9.8
CRITICAL
CVE-2019-19307
all versions
An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infinite loop),
9.8
CRITICAL
CVE-2019-17426
<= 5.7.4
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a
9.1
CRITICAL
CVE-2019-13503
all versions
mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer over-read.
7.5
HIGH
CVE-2019-12951
< 6.15
An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.
9.8
CRITICAL
CVE-2018-20356
<= 6.13
An invalid read of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in
9.8
CRITICAL
CVE-2018-20355
<= 6.13
An invalid write of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c i
9.8
CRITICAL
CVE-2018-20354
<= 6.13
An invalid read of 8 bytes due to a use-after-free vulnerability during a "return" in the mg_http_get_proto_data function in mongo
9.8
CRITICAL
CVE-2018-20353
<= 6.13
An invalid read of 8 bytes due to a use-after-free vulnerability during a "NULL test" in the mg_http_get_proto_data function in mo
9.8
CRITICAL
CVE-2018-19587
all versions
In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_add_session() function.
6.5
MEDIUM
CVE-2018-18765
all versions
An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is
9.1
CRITICAL
CVE-2018-18764
all versions
An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is
9.1
CRITICAL
CVE-2018-10945
all versions
The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer
7.5
HIGH
CVE-2017-2922
all versions
An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A speciall
9.8
CRITICAL
CVE-2017-2921
all versions
An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A speciall
9.8
CRITICAL
CVE-2017-2909
all versions
An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS
7.5
HIGH
CVE-2017-2895
all versions
An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A spec
8.2
HIGH
CVE-2017-2894
all versions
An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A spec
9.8
CRITICAL
CVE-2017-2893
all versions
An exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An
7.5
HIGH
CVE-2017-2892
all versions
An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A spec
9.8
CRITICAL
CVE-2017-2891
all versions
An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POS
9.8
CRITICAL
CVE-2011-2900
all versions
Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL
CVE-2009-4535
<= 2.8.0
Mongoose 2.8.0 and earlier allows remote attackers to obtain the source code for a web page by appending a / (slash) character to
CVE-2009-4530
<= 2.8
Mongoose 2.8.0 and earlier allows remote attackers to obtain the source code for a web page by appending ::$DATA to the URI.
CVE-2009-1354
all versions
Directory traversal vulnerability in Mongoose 2.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin