CyberSec.Space Logo
Back to CVE Browser

CVE-2019-10758

Known Exploited (CISA KEV)CRITICAL
9.9
CVSS Severity Score
EPSS Score80.9650%
EPSS Percentile95.35th
PublishedDec 24, 2019
Last ModifiedOct 27, 2025

Vulnerability Description

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

Affected Platforms (CPE)

๐Ÿ“ฆ
Mongo Express Project

Mongo Express

< 0.54.0

References & Advisories

๐Ÿ”— https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
๐Ÿ”— https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
๐Ÿ”— https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758

Related Vulnerabilities

CVE-2020-243919.8

mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap...

CVE-2021-214228.1

mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://git...

CVE-2021-233724.4

All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to ...

CVE-2026-121917.8

A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdri...