CVE-2026-42334— Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Automattic | mongoose | < 6.13.9 | affected |
>= 7.0.0, <= 7.8.8 | affected | ||
>= 8.0.0, <= 8.22.0 | affected | ||
>= 9.0.0, <= 9.1.5 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42334
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Automattic | mongoose | < 6.13.9 | - |
II. Public POCs for CVE-2026-42334
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42334
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: mongoose
- CVE-2026-6986
Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_ - CVE-2026-6985
Cesanta Mongoose TCP Option net_builtin.c handle_opt infinit - CVE-2026-5246
Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_c - CVE-2026-5245
Cesanta Mongoose mDNS Record mongoose.c handle_mdns_record s - CVE-2026-5244
Cesanta Mongoose TLS 1.3 mongoose.c mg_tls_recv_cert heap-ba
Same vendor: Automattic
- CVE-2026-3589
WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSR - CVE-2026-22356
WordPress Jetpack CRM plugin <= 6.7.0 - Local File Inclusion - CVE-2026-25404
WordPress WP Job Manager plugin <= 2.4.0 - Broken Access Con - CVE-2023-54332
Jetpack 11.4 - Cross Site Scripting (XSS) - CVE-2023-52212
WordPress WP Job Manager plugin <= 2.0.0 - Cross Site Reques
Same weakness: CWE-74
- CVE-2026-44458
Hono: CSS Declaration Injection via Style Object Values in J - CVE-2026-44455
Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML I - CVE-2026-42838
Microsoft Edge (Chromium-based) Elevation of Privilege Vulne - CVE-2026-33833
Azure Machine Learning Notebook Spoofing Vulnerability - CVE-2026-41109
GitHub Copilot and Visual Studio Code Security Feature Bypas
V. Comments for CVE-2026-42334
No comments yet