Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xk4w-gxs4-7bab
Vulnerability ID VCID-xk4w-gxs4-7bab
Aliases CVE-2023-3696
GHSA-9m93-w8w6-76hh
Summary Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2023-3696
cvssv3.1 10.0 https://github.com/Automattic/mongoose
generic_textual CRITICAL https://github.com/Automattic/mongoose
cvssv3 10 https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
cvssv3.1 10.0 https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
generic_textual CRITICAL https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
ssvc Track https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
cvssv3.1 10.0 https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1
generic_textual CRITICAL https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1
cvssv3.1 10.0 https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
generic_textual CRITICAL https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
cvssv3.1 10.0 https://github.com/Automattic/mongoose/releases/tag/7.3.3
generic_textual CRITICAL https://github.com/Automattic/mongoose/releases/tag/7.3.3
cvssv3 10 https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
cvssv3.1 10.0 https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
generic_textual CRITICAL https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
ssvc Track https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
cvssv3.1 10.0 https://nvd.nist.gov/vuln/detail/CVE-2023-3696
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2023-3696
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-3696
https://github.com/Automattic/mongoose
https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1
https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
https://github.com/Automattic/mongoose/releases/tag/7.3.3
https://nvd.nist.gov/vuln/detail/CVE-2023-3696
1eef5a72-f6ab-4f61-b31d-fc66f5b4b467 https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
305ce4ff789261df7e3f6e72363d0703e025f80d https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://github.com/Automattic/mongoose
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T14:09:03Z/ Found at https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://github.com/Automattic/mongoose/releases/tag/7.3.3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T14:09:03Z/ Found at https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-3696
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.64831
EPSS Score 0.00465
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:30:32.898401+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/3xxx/CVE-2023-3696.json 38.6.0