Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/mongo-express@0.12.0

Type npm

Namespace

Name mongo-express

Version 0.12.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.0.0-alpha.4

Latest_non_vulnerable_version 1.0.0-alpha.4

Affected_by_vulnerabilities

url VCID-9zpn-rzfs-pyfg

vulnerability_id VCID-9zpn-rzfs-pyfg

summary

Remote Code Execution Vulnerability in NPM mongo-express
Remote code execution on the host machine by any authenticated user.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-10758

reference_id

reference_type

scores

value	0.94352
scoring_system	epss
scoring_elements	0.99961
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-10758

reference_url

https://github.com/mongo-express/mongo-express

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongo-express/mongo-express

reference_url

https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60

reference_url

https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494

reference_url

https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2

reference_url

https://github.com/mongo-express/mongo-express/pull/522

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongo-express/mongo-express/pull/522

reference_url

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215

reference_url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-10758

reference_id

CVE-2019-10758

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-10758

reference_url	https://github.com/advisories/GHSA-h47j-hc6x-h3qq
reference_id	GHSA-h47j-hc6x-h3qq
reference_type
scores
url	https://github.com/advisories/GHSA-h47j-hc6x-h3qq

reference_url

https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq

reference_id

GHSA-h47j-hc6x-h3qq

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq

fixed_packages

url pkg:npm/mongo-express@0.54.0

purl pkg:npm/mongo-express@0.54.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kas3-jua6-hqer

vulnerability	VCID-nr2n-pfu7-afat

vulnerability	VCID-quer-e8mx-eyg2

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mongo-express@0.54.0

aliases CVE-2019-10758, GHSA-h47j-hc6x-h3qq

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9zpn-rzfs-pyfg

url

VCID-kas3-jua6-hqer

vulnerability_id

VCID-kas3-jua6-hqer

summary

Improper Check for Unusual or Exceptional Conditions
Mongo-express is vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-23372

reference_id

reference_type

scores

value	0.00306
scoring_system	epss
scoring_elements	0.54141
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-23372

reference_url

https://github.com/mongo-express/mongo-express

reference_id

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongo-express/mongo-express

reference_url

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-1085403

reference_id

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-1085403

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-23372

reference_id

CVE-2021-23372

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-23372

fixed_packages

aliases

CVE-2021-23372, GHSA-m2r3-8492-vx59

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-kas3-jua6-hqer

url VCID-nr2n-pfu7-afat

vulnerability_id VCID-nr2n-pfu7-afat

summary

Javascript Injection
mongo-express offers support for certain advanced syntax but implements this in an unsafe way

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-24391

reference_id

reference_type

scores

value	0.92863
scoring_system	epss
scoring_elements	0.99775
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-24391

reference_url

https://github.com/mongodb-js/query-parser/issues/16

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongodb-js/query-parser/issues/16

reference_url

https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-24391

reference_id

CVE-2020-24391

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-24391

reference_url	https://github.com/advisories/GHSA-hxmg-hm46-cf62
reference_id	GHSA-hxmg-hm46-cf62
reference_type
scores
url	https://github.com/advisories/GHSA-hxmg-hm46-cf62

fixed_packages

url pkg:npm/mongo-express@1.0.0-alpha.1

purl pkg:npm/mongo-express@1.0.0-alpha.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kas3-jua6-hqer

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mongo-express@1.0.0-alpha.1

aliases CVE-2020-24391, GHSA-hxmg-hm46-cf62

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nr2n-pfu7-afat

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mongo-express@0.12.0

Package Instance