PYSEC-2026-1826

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pymongo/PYSEC-2026-1826.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1826
Aliases
Published
2026-07-07T11:45:45.680005Z
Modified
2026-07-07T17:47:50.595411828Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L CVSS Calculator
Summary
PyMongo Out-of-bounds Read in the bson module
Details

Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.

References

Affected packages

PyPI / pymongo

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.6.3

Affected versions

0.*
0.1pre
0.1.1pre
0.1.2pre
0.2pre
0.3pre
0.3.1pre
0.4pre
0.5pre
0.5.1pre
0.5.2pre
0.5.3pre
0.6
0.7
0.7.1
0.7.2
0.8
0.8.1
0.9
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.10
0.10.1
0.10.2
0.10.3
0.11
0.11.1
0.11.2
0.11.3
0.12
0.13
0.14
0.14.1
0.14.2
0.15
0.15.1
0.15.2
0.16
1.*
1.0
1.1
1.1.1
1.1.2
1.2
1.2.1
1.3
1.4
1.5
1.5.1
1.5.2
1.6
1.7
1.8
1.8.1
1.9
1.10
1.10.1
1.11
2.*
2.0
2.0.1
2.1
2.1.1
2.2
2.2.1
2.3
2.4
2.4.1
2.4.2
2.5
2.5.1
2.5.2
2.6
2.6.1
2.6.2
2.6.3
2.7
2.7.1
2.7.2
2.8
2.8.1
2.9
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
3.*
3.0
3.0.1
3.0.2
3.0.3
3.1
3.1.1
3.2
3.2.1
3.2.2
3.3.0
3.3.1
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.7.0
3.7.1
3.7.2
3.8.0
3.9.0
3.10.0
3.10.1
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0
3.12.1
3.12.2
3.12.3
3.13.0
4.*
4.0
4.0.1
4.0.2
4.1.0
4.1.1
4.2.0
4.3.2
4.3.3
4.4.0b0
4.4.0
4.4.1
4.5.0
4.6.0
4.6.1
4.6.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pymongo/PYSEC-2026-1826.yaml"