mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
{ "github_reviewed_at": "2021-03-31T20:14:37Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "nvd_published_at": "2021-03-30T21:15:00Z" }