Skip to main content

Nosql Injection

38 CVEs technique

Monthly

CVE-2026-8649 CRITICAL PATCH Act Now

SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-10698 HIGH PATCH This Week

Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-40141 HIGH PATCH NEWS This Week

Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.

Nosql Injection Information Disclosure Remote Support Privilege Remote Access
NVD
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-46591 HIGH PATCH This Week

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMatchProperties map to execute arbitrary Cypher queries against the connected Neo4j database, enabling unauthorized read, modification, or deletion of any node or relationship. The flaw exists across three release streams (4.10.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) and is a direct bypass of the partial fix introduced in CVE-2025-66169, which bound property values as query parameters but left property names (JSON keys) concatenated verbatim into the WHERE clause. No public exploit code or CISA KEV listing has been identified at time of analysis, though the prior related CVE in the same producer indicates recurring injection exposure in this component.

Code Injection Nosql Injection Apache Apache Camel
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-44840 Go HIGH POC PATCH GHSA This Week

DQL (Dgraph Query Language) injection in Dgraph's GraphQL-to-DQL query rewriter (versions <= v25.3.3) lets remote unauthenticated attackers inject arbitrary query blocks through the unauthenticated checkUserPassword GraphQL query. User-supplied password values are interpolated into a checkpwd() DQL call via fmt.Sprintf without escaping, so a double-quote breaks out of the string literal and appends attacker-controlled DQL. A working PoC exists (publicly available exploit code exists); the issue is not in CISA KEV and no active exploitation is reported, but server-side execution of injected blocks is confirmed, enabling schema/data enumeration and resource exhaustion.

Denial Of Service Nosql Injection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-45689 CRITICAL PATCH Act Now

{"$ne": null} for client_id, client_secret, and refresh_token returns a live token bound to whatever user Mongo matches first; iterating with $nin/$regex walks the entire token collection. No public exploit identified at time of analysis, but exploitation is trivial and capturing an admin token yields full /api/v1/* control and Apps-Engine app installation (server-side code execution). Fixed in the 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 release line.

Nosql Injection RCE
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-45688 CRITICAL PATCH Act Now

{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.

Authentication Bypass Nosql Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-47835 HIGH PATCH This Week

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.

Nosql Injection Java Elastic Information Disclosure Spring Ai
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-48121 npm MEDIUM PATCH GHSA This Month

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Checkpoint Nosql Injection Authentication Bypass
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-53674 HIGH This Week

Regex injection in BuddyPress 14.4.0's activity mention resolver allows authenticated WordPress users to manipulate a REGEXP clause against the users table when username compatibility mode is enabled, enabling boolean-based username inference and denial of service via catastrophic backtracking. CVSS 4.0 scores this 7.1 with low confidentiality impact and high availability impact, reflecting the dual data-leakage and DoS outcomes. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Nosql Injection
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41697 MEDIUM PATCH This Month

Boolean-based blind query injection in Spring Data Relational (JDBC and R2DBC) allows remote unauthenticated attackers to infer database contents by supplying wildcard characters to Query By Example (QBE) endpoints using StringMatcher modes STARTING, ENDING, or CONTAINING. The root cause is insufficient escaping of externally-controlled binding values before they reach the underlying query logic. No public exploit or CISA KEV listing has been identified at time of analysis, but the network-accessible, no-authentication-required attack surface makes this a meaningful exposure for any Spring Data application that exposes QBE search functionality.

Nosql Injection Information Disclosure Java
NVD VulDB HeroDevs
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-41696 MEDIUM PATCH This Month

Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.

Nosql Injection Information Disclosure Java Spring Data Mongodb
NVD VulDB HeroDevs
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-40102 MEDIUM PATCH This Month

ORM Field Reference Injection in Plane versions 1.3.0 and below enables any authenticated workspace MEMBER to exfiltrate sensitive data - including bcrypt password hashes, API tokens, and user email addresses - via a single crafted GET request. The SavedAnalyticEndpoint omits the field allowlist validation present in the regular AnalyticsEndpoint, passing the user-supplied segment parameter directly into Django F() expressions, which then traverse foreign-key relationships and return referenced field values in the JSON response. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack is trivially reconstructable from the public GHSA-93x3-ghh7-72j3 advisory and the exfiltrated data directly enables secondary attacks.

Information Disclosure Nosql Injection Python
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42156 HIGH This Week

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.

Information Disclosure Nosql Injection
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-42316 MEDIUM PATCH This Month

KQL injection in kafka-sink-azure-kusto Kafka Connect plugin prior to 5.2.3 allows authenticated administrators with Kafka Connect configuration permissions to inject arbitrary KQL management commands by embedding metacharacters in the kusto.tables.topics.mapping configuration fields (db, table, mapping, format). An attacker with connector configuration privileges could enumerate or modify schemas, tamper with ingestion mappings, or alter streaming and retention policies on the target Azure Data Explorer database using the connector's service principal credentials. The vulnerability is fixed in version 5.2.3 and has not been observed in active exploitation at the time of this analysis.

Microsoft Information Disclosure Nosql Injection
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33566 MEDIUM This Month

Cypher injection in LogonTracer prior to v2.0.0 allows remote attackers to alter database contents by submitting specially crafted Windows event log data. The vulnerability requires user interaction to load the malicious log data but results in integrity compromise of the underlying database due to improper input sanitization in Cypher query construction.

Microsoft Code Injection Nosql Injection
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41328 Go CRITICAL PATCH GHSA Act Now

Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.

Docker Authentication Bypass Denial Of Service Apple Python +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-41327 Go CRITICAL PATCH GHSA Act Now

Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.

Docker Authentication Bypass Denial Of Service Apple Python +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41274 npm CRITICAL PATCH GHSA Act Now

Cypher injection in Flowise GraphCypherQAChain node allows remote unauthenticated attackers to execute arbitrary database commands against connected Neo4j instances. Attackers can exfiltrate, modify, or delete data in the graph database by injecting malicious Cypher queries through user-controlled input fields that bypass sanitization (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The vulnerability affects both Flowise core and flowise-components packages prior to version 3.1.0. CVSS 9.3 critical severity reflects network-accessible attack vector requiring no authentication or user interaction. EPSS data unavailable; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though GitHub security advisory confirms vendor awareness and patch availability.

Code Injection Nosql Injection Flowise Flowise Components
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-6626 PHP LOW POC PATCH Monitor

NoSQL injection in Cockpit-HQ Cockpit up to version 2.13.5 allows authenticated remote attackers to manipulate data query logic through the Asset Handler or Aggregate Handler components, resulting in information disclosure with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

Nosql Injection Information Disclosure Cockpit
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-40352 HIGH PATCH This Week

NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on the password change endpoint using MongoDB query operators. Low-privileged users can change their own password (or potentially others' passwords via ID manipulation) without knowing the current password, enabling full account takeover and persistent access. Fixed in version 4.14.9.5. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, though the attack technique is well-documented for NoSQL injection vectors.

Authentication Bypass Nosql Injection Fastgpt
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-40351 CRITICAL PATCH Act Now

NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login controls and access any account, including root administrator, by submitting MongoDB query operators instead of plaintext passwords. The vulnerability stems from missing runtime validation on password fields in the login endpoint. Exploitation requires no special conditions beyond network access to the login endpoint. CVSS 9.8 (Critical) with EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, though GitHub security advisory provides technical details that could enable exploit development.

Denial Of Service Nosql Injection Fastgpt
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34973 PHP MEDIUM PATCH GHSA This Month

Information disclosure in phpMyFAQ allows unauthenticated attackers to enumerate custom page content by injecting SQL LIKE wildcards (`%` and `_`) into the search term, bypassing intended search filters. The `searchCustomPages()` method in `Search.php` uses `real_escape_string()` which does not escape LIKE metacharacters, enabling an attacker to craft queries like `_%_` that match all records regardless of intended search scope. This vulnerability has no authentication requirement and affects the publicly accessible search functionality.

PHP Information Disclosure Nosql Injection
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-33980 PyPI HIGH PATCH GHSA This Week

KQL injection in adx-mcp-server Python package allows authenticated attackers to execute arbitrary Kusto queries against Azure Data Explorer clusters. Three MCP tool handlers (get_table_schema, sample_table_data, get_table_details) unsafely interpolate the table_name parameter into query strings via f-strings, enabling data exfiltration from arbitrary tables, execution of management commands, and potential table drops. Vendor-released patch available (commit 0abe0ee). No public exploit identified at time of analysis, though proof-of-concept code exists in the security advisory demonstrating injection via comment-based bypass and newline-separated commands. Affects adx-mcp-server ≤ commit 48b2933.

Microsoft RCE Nosql Injection Python
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-22558 HIGH This Week

UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.

Ubiquiti Nosql Injection Privilege Escalation
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-3021 MEDIUM PATCH This Month

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.

SQLi Nosql Injection Wakyma Application Web
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32247 PyPI HIGH POC PATCH This Week

High severity vulnerability in Graphiti. #

Code Injection Nosql Injection Graphiti
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-42884 MEDIUM This Month

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Nosql Injection Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-36185 MEDIUM This Month

IBM Db2 12.1.0 through 12.1.2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a local user to cause a denial of service due to improper neutralization of special elements in. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Microsoft Nosql Injection IBM Db2 +1
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2025-23292 MEDIUM Monitor

NVIDIA Delegated Licensing Service for all appliance platforms contains a SQL injection vulnerability where an User/Attacker may cause an authorized action. Rated medium severity (CVSS 4.6). No vendor patch available.

Denial Of Service Nvidia Nosql Injection SQLi
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-24787 Go HIGH PATCH This Week

WhoDB is an open source database management tool. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Nosql Injection Whodb Suse
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2024-4872 HIGH This Week

A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Nosql Injection Microscada Pro Sys600 Microscada X Sys600
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-35136 MEDIUM This Month

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) federated server 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query under certain non default. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service Nosql Injection Microsoft Db2
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-31882 MEDIUM This Month

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service, under specific non default configurations, as the server may crash when using a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service Nosql Injection Microsoft Db2
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-34712 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct cypher query language injection attacks on an affected. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Nosql Injection Information Disclosure Catalyst Sd Wan Manager Sd Wan Vmanage
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2021-1349 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Nosql Injection Information Disclosure Sd Wan Vmanage
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-5257 Ruby HIGH PATCH This Week

In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Nosql Injection SQLi Administrate
NVD GitHub
CVSS 3.1
8.1
EPSS
0.9%
CVE-2017-12904 HIGH PATCH This Week

Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Nosql Injection Command Injection Newsbeuter Debian Linux
NVD GitHub
CVSS 3.0
8.8
EPSS
2.3%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.

Nosql Injection Information Disclosure Remote Support +1
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMatchProperties map to execute arbitrary Cypher queries against the connected Neo4j database, enabling unauthorized read, modification, or deletion of any node or relationship. The flaw exists across three release streams (4.10.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) and is a direct bypass of the partial fix introduced in CVE-2025-66169, which bound property values as query parameters but left property names (JSON keys) concatenated verbatim into the WHERE clause. No public exploit code or CISA KEV listing has been identified at time of analysis, though the prior related CVE in the same producer indicates recurring injection exposure in this component.

Code Injection Nosql Injection Apache +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

DQL (Dgraph Query Language) injection in Dgraph's GraphQL-to-DQL query rewriter (versions <= v25.3.3) lets remote unauthenticated attackers inject arbitrary query blocks through the unauthenticated checkUserPassword GraphQL query. User-supplied password values are interpolated into a checkpwd() DQL call via fmt.Sprintf without escaping, so a double-quote breaks out of the string literal and appends attacker-controlled DQL. A working PoC exists (publicly available exploit code exists); the issue is not in CISA KEV and no active exploitation is reported, but server-side execution of injected blocks is confirmed, enabling schema/data enumeration and resource exhaustion.

Denial Of Service Nosql Injection
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

{"$ne": null} for client_id, client_secret, and refresh_token returns a live token bound to whatever user Mongo matches first; iterating with $nin/$regex walks the entire token collection. No public exploit identified at time of analysis, but exploitation is trivial and capturing an admin token yields full /api/v1/* control and Apps-Engine app installation (server-side code execution). Fixed in the 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 release line.

Nosql Injection RCE
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.

Authentication Bypass Nosql Injection
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.

Nosql Injection Java Elastic +2
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Checkpoint Nosql Injection Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Regex injection in BuddyPress 14.4.0's activity mention resolver allows authenticated WordPress users to manipulate a REGEXP clause against the users table when username compatibility mode is enabled, enabling boolean-based username inference and denial of service via catastrophic backtracking. CVSS 4.0 scores this 7.1 with low confidentiality impact and high availability impact, reflecting the dual data-leakage and DoS outcomes. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Nosql Injection
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Boolean-based blind query injection in Spring Data Relational (JDBC and R2DBC) allows remote unauthenticated attackers to infer database contents by supplying wildcard characters to Query By Example (QBE) endpoints using StringMatcher modes STARTING, ENDING, or CONTAINING. The root cause is insufficient escaping of externally-controlled binding values before they reach the underlying query logic. No public exploit or CISA KEV listing has been identified at time of analysis, but the network-accessible, no-authentication-required attack surface makes this a meaningful exposure for any Spring Data application that exposes QBE search functionality.

Nosql Injection Information Disclosure Java
NVD VulDB HeroDevs
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.

Nosql Injection Information Disclosure Java +1
NVD VulDB HeroDevs
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

ORM Field Reference Injection in Plane versions 1.3.0 and below enables any authenticated workspace MEMBER to exfiltrate sensitive data - including bcrypt password hashes, API tokens, and user email addresses - via a single crafted GET request. The SavedAnalyticEndpoint omits the field allowlist validation present in the regular AnalyticsEndpoint, passing the user-supplied segment parameter directly into Django F() expressions, which then traverse foreign-key relationships and return referenced field values in the JSON response. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack is trivially reconstructable from the public GHSA-93x3-ghh7-72j3 advisory and the exfiltrated data directly enables secondary attacks.

Information Disclosure Nosql Injection Python
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.

Information Disclosure Nosql Injection
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

KQL injection in kafka-sink-azure-kusto Kafka Connect plugin prior to 5.2.3 allows authenticated administrators with Kafka Connect configuration permissions to inject arbitrary KQL management commands by embedding metacharacters in the kusto.tables.topics.mapping configuration fields (db, table, mapping, format). An attacker with connector configuration privileges could enumerate or modify schemas, tamper with ingestion mappings, or alter streaming and retention policies on the target Azure Data Explorer database using the connector's service principal credentials. The vulnerability is fixed in version 5.2.3 and has not been observed in active exploitation at the time of this analysis.

Microsoft Information Disclosure Nosql Injection
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Cypher injection in LogonTracer prior to v2.0.0 allows remote attackers to alter database contents by submitting specially crafted Windows event log data. The vulnerability requires user interaction to load the malicious log data but results in integrity compromise of the underlying database due to improper input sanitization in Cypher query construction.

Microsoft Code Injection Nosql Injection
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.

Docker Authentication Bypass Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.

Docker Authentication Bypass Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Cypher injection in Flowise GraphCypherQAChain node allows remote unauthenticated attackers to execute arbitrary database commands against connected Neo4j instances. Attackers can exfiltrate, modify, or delete data in the graph database by injecting malicious Cypher queries through user-controlled input fields that bypass sanitization (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The vulnerability affects both Flowise core and flowise-components packages prior to version 3.1.0. CVSS 9.3 critical severity reflects network-accessible attack vector requiring no authentication or user interaction. EPSS data unavailable; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though GitHub security advisory confirms vendor awareness and patch availability.

Code Injection Nosql Injection Flowise +1
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

NoSQL injection in Cockpit-HQ Cockpit up to version 2.13.5 allows authenticated remote attackers to manipulate data query logic through the Asset Handler or Aggregate Handler components, resulting in information disclosure with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

Nosql Injection Information Disclosure Cockpit
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on the password change endpoint using MongoDB query operators. Low-privileged users can change their own password (or potentially others' passwords via ID manipulation) without knowing the current password, enabling full account takeover and persistent access. Fixed in version 4.14.9.5. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, though the attack technique is well-documented for NoSQL injection vectors.

Authentication Bypass Nosql Injection Fastgpt
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login controls and access any account, including root administrator, by submitting MongoDB query operators instead of plaintext passwords. The vulnerability stems from missing runtime validation on password fields in the login endpoint. Exploitation requires no special conditions beyond network access to the login endpoint. CVSS 9.8 (Critical) with EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, though GitHub security advisory provides technical details that could enable exploit development.

Denial Of Service Nosql Injection Fastgpt
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Information disclosure in phpMyFAQ allows unauthenticated attackers to enumerate custom page content by injecting SQL LIKE wildcards (`%` and `_`) into the search term, bypassing intended search filters. The `searchCustomPages()` method in `Search.php` uses `real_escape_string()` which does not escape LIKE metacharacters, enabling an attacker to craft queries like `_%_` that match all records regardless of intended search scope. This vulnerability has no authentication requirement and affects the publicly accessible search functionality.

PHP Information Disclosure Nosql Injection
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

KQL injection in adx-mcp-server Python package allows authenticated attackers to execute arbitrary Kusto queries against Azure Data Explorer clusters. Three MCP tool handlers (get_table_schema, sample_table_data, get_table_details) unsafely interpolate the table_name parameter into query strings via f-strings, enabling data exfiltration from arbitrary tables, execution of management commands, and potential table drops. Vendor-released patch available (commit 0abe0ee). No public exploit identified at time of analysis, though proof-of-concept code exists in the security advisory demonstrating injection via comment-based bypass and newline-separated commands. Affects adx-mcp-server ≤ commit 48b2933.

Microsoft RCE Nosql Injection +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.

Ubiquiti Nosql Injection Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.

SQLi Nosql Injection Wakyma Application Web
NVD VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

High severity vulnerability in Graphiti. #

Code Injection Nosql Injection Graphiti
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Nosql Injection Code Injection
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

IBM Db2 12.1.0 through 12.1.2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a local user to cause a denial of service due to improper neutralization of special elements in. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Microsoft Nosql Injection +3
NVD
EPSS 0% CVSS 4.6
MEDIUM Monitor

NVIDIA Delegated Licensing Service for all appliance platforms contains a SQL injection vulnerability where an User/Attacker may cause an authorized action. Rated medium severity (CVSS 4.6). No vendor patch available.

Denial Of Service Nvidia Nosql Injection +1
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

WhoDB is an open source database management tool. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Nosql Injection Whodb +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Nosql Injection Microscada Pro Sys600 +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) federated server 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query under certain non default. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service Nosql Injection +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service, under specific non default configurations, as the server may crash when using a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service Nosql Injection +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct cypher query language injection attacks on an affected. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Nosql Injection Information Disclosure +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Nosql Injection Information Disclosure +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Nosql Injection SQLi Administrate
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Nosql Injection Command Injection +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy