Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-e36b-xyqv-5uh1
Vulnerability ID VCID-e36b-xyqv-5uh1
Aliases CVE-2019-17426
GHSA-8687-vv9j-hgph
Summary Improper Input Validation in Automattic Mongoose
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2019-17426
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2019-17426
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-8687-vv9j-hgph
cvssv3.1 9.1 https://github.com/Automattic/mongoose
generic_textual CRITICAL https://github.com/Automattic/mongoose
cvssv3.1 9.1 https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c
generic_textual CRITICAL https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c
cvssv3.1 9.1 https://github.com/Automattic/mongoose/commit/f88eb2524b65a68ff893c90a03c04f0913c1913e
generic_textual CRITICAL https://github.com/Automattic/mongoose/commit/f88eb2524b65a68ff893c90a03c04f0913c1913e
cvssv3.1 9.1 https://github.com/Automattic/mongoose/commits/4.13.21
generic_textual CRITICAL https://github.com/Automattic/mongoose/commits/4.13.21
cvssv3.1 9.1 https://github.com/Automattic/mongoose/issues/8222
generic_textual CRITICAL https://github.com/Automattic/mongoose/issues/8222
cvssv3.1 9.1 https://github.com/Automattic/mongoose/releases/tag/4.13.21
generic_textual CRITICAL https://github.com/Automattic/mongoose/releases/tag/4.13.21
cvssv3.1 9.1 https://nvd.nist.gov/vuln/detail/CVE-2019-17426
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2019-17426
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2019-17426
https://github.com/Automattic/mongoose
https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c
https://github.com/Automattic/mongoose/commit/f88eb2524b65a68ff893c90a03c04f0913c1913e
https://github.com/Automattic/mongoose/commits/4.13.21
https://github.com/Automattic/mongoose/issues/8222
https://github.com/Automattic/mongoose/releases/tag/4.13.21
CVE-2019-17426 https://nvd.nist.gov/vuln/detail/CVE-2019-17426
GHSA-8687-vv9j-hgph https://github.com/advisories/GHSA-8687-vv9j-hgph
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/Automattic/mongoose
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/Automattic/mongoose/commit/f88eb2524b65a68ff893c90a03c04f0913c1913e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/Automattic/mongoose/commits/4.13.21
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/Automattic/mongoose/issues/8222
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/Automattic/mongoose/releases/tag/4.13.21
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-17426
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.47035
EPSS Score 0.00237
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T20:25:34.615278+00:00 GHSA Importer Import https://github.com/advisories/GHSA-8687-vv9j-hgph 38.6.0