Threats Tagged 'cwe-943'
View all threats tagged with 'cwe-943'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'cwe-943'
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-45689: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in RocketChat Rocket.ChatCVE-2026-45689 0 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with MongoDB query operators to /oauth/token. The Rocket.Chat OAuth2 server does not validate that grant parameters are strings before forwarding them to findOne({...}) against the oauth_apps and oauth_access_tokens collections, so an attacker substitutes {"$ne": null} for client_id, client_secret, and refresh_token and receives a freshly minted {access_token, refresh_token} pair bound to whichever user's refresh token Mongo returned first. The resulting access token is a first-class bearer credential against the full /api/v1/* surface as that user. By iterating with $nin / $regex operators the attacker walks the entire oauth_access_tokens collection, collecting one fresh access token per user per request. If any matched token belongs to an admin, the stolen bearer gives full admin API access (including Apps-Engine app installation, i.e. server-side code execution). No account, credentials, userId, or prior interaction with the instance are required. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Join the discussion | CVE Database V5 | 06/24/2026, 20:57:32 UTC Added: 06/24/2026, 21:32:17 UTC |
CVE-2026-45688: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in RocketChat Rocket.ChatCVE-2026-45688 0 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at runtime, so an unauthenticated attacker can substitute a MongoDB query operator ({"$gt": ""}, {"$ne": null}, etc.) for what the server expects to be an opaque ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. When any legitimate CAS or SAML SSO login is in flight, the attacker's next DDP login call matches the same credential-token row via the NoSQL operator and is issued a full Meteor auth token (userId + token) bound to the victim. The token is immediately usable against the complete REST and DDP surface as that user. If the victim is an administrator, this escalates to full instance compromise via Apps-Engine app install. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Join the discussion | CVE Database V5 | 06/24/2026, 20:56:44 UTC Added: 06/24/2026, 21:32:17 UTC |
CVE-2026-47835: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in Spring Spring AICVE-2026-47835 0 In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8). Join the discussion | CVE Database V5 | 06/15/2026, 18:54:19 UTC Added: 06/15/2026, 19:30:41 UTC |
CVE-2026-49482: CWE-155: Improper Neutralization of Wildcards or Matching Symbols in MacWarrior clipbucket-v5CVE-2026-49482 0 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request. This issue has been patched in version 5.5.3 - #141. Join the discussion | CVE Database V5 | 06/11/2026, 22:55:17 UTC Added: 06/11/2026, 23:30:07 UTC |
CVE-2026-47181: CWE-20: Improper Input Validation in PenguinMod PenguinMod-BackendApiCVE-2026-47181 0 PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0. Join the discussion | CVE Database V5 | 06/11/2026, 18:49:14 UTC Added: 06/11/2026, 19:00:33 UTC |
CVE-2026-41697: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in Spring Spring Data RelationalCVE-2026-41697 0 Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19. Join the discussion | CVE Database V5 | 06/09/2026, 23:47:42 UTC Added: 06/09/2026, 23:55:46 UTC |
CVE-2026-41696: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in Spring Spring Data MongoDBCVE-2026-41696 0 Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19. Join the discussion | CVE Database V5 | 06/09/2026, 23:47:37 UTC Added: 06/09/2026, 23:55:46 UTC |
Showing 1 to 7 of 7 results