CVE-2025-23061

CRITICAL Year: 2025
CVSS v3 Score
9.0
Critical
Weakness Type
CWE-94
View all →

Vulnerability Description

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Related Vulnerabilities

CVE-2015-8351

CRITICAL
CVSS:9.0(Critical)

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code vi...

CWE-942015

CVE-2015-8761

CRITICAL
CVSS:9.0(Critical)

The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via th...

CWE-942015

CVE-2018-4031

CRITICAL
CVSS:9.0(Critical)

An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostnam...

CWE-942018

CVE-2019-7610

CRITICAL
CVSS:9.0(Critical)

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could sen...

CWE-942019

CVE-2020-15142

CRITICAL
CVSS:9.0(Critical)

In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitr...

CWE-942020

CVE-2020-9406

CRITICAL
CVSS:9.0(Critical)

IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.

CWE-942020