ctipilot.ch

cve-search unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes

cve · CVE-2026-59509

Coverage timeline
1
first 2026-07-05 → last 2026-07-05
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-05CVE-2026-59509 — cve-search: unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes (CVSS 9.2)
    trending-vulnerabilitiescve-search patches a pre-auth flaw that reads admin credential hashes via /fetch_cve_data

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cve.threatint.eu1 (50%)
  • github.com1 (50%)

Entries about cve-search unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes (1)

2026-07-05 · view entry permalink →

CVE-2026-59509 — cve-search: unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes (CVSS 9.2)

notable vulnerability discovered 2026-07-05 18:16 UTC

CVE-2026-59509 is an unauthenticated improper-input-validation flaw (CWE-20, CVSS 4.0 9.2, vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N) in the POST /fetch_cve_data endpoint of cve-search, the open-source CVE/CPE aggregation and search tool maintained by CIRCL (Luxembourg's CSIRT) and widely run internally by European CERTs, CSIRTs and MISP-adjacent CTI teams. The handler trusted attacker-controlled request parameters to select the target MongoDB collection, the projected fields, and the regex filters rather than restricting queries to the CVE collection, so a remote unauthenticated caller could redirect the query to arbitrary application collections — including mgmt_users — and read administrative usernames and password hashes, enabling offline cracking and admin-account takeover of the instance (CIRCL/NVD, 2026-07-05). Versions v4.0 through v6.0.0 are affected; the project's own fix (fix(web): add server-side validations for /fetch_cve_data inputs) was merged 2026-06-22 and shipped in v6.0.1, adding a CVE-only collection restriction, an allowlist for DataTables column fields, and enforced pagination bounds — all invalid requests now return HTTP 400 (cve-search project, GitHub PR #1218). No in-the-wild exploitation has been reported by either source and EPSS is not yet published, consistent with a same-day CVE assignment on an already-merged fix.

An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.

ThreatInt.eu (CVE aggregator) 2026-07-05

fix(web): add server-side validations for /fetch_cve_data inputs

cve-search project (GitHub PR #1218 — fix) 2026-06-22
vulnerabilities pre-auth info-disclosure sqli patch-available europe CVE-2026-59509