High severity7.5NVD Advisory· Published May 13, 2026· Updated May 15, 2026
CVE-2026-8336
CVE-2026-8336
Description
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.
This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
10- Worm rubs out competitor's malware, then takes controlThe Register Security · May 8, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 19SentinelOne Labs · May 8, 2026
- PCPJack Campaign Boots TeamPCP Off Compromised MachinesInfosecurity Magazine · May 8, 2026
- ‘PCPJack’ Worm Removes TeamPCP Infections, Steals CredentialsSecurityWeek · May 8, 2026
- New PCPJack worm steals credentials, cleans TeamPCP infectionsBleepingComputer · May 7, 2026
- PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud SystemsThe Hacker News · May 7, 2026
- VECT: Ransomware by design, Wiper by accidentCheck Point Research · Apr 28, 2026
- Ongoing supply-chain attack 'explicitly targeting' security, dev toolsThe Register Security · Apr 27, 2026
- Ongoing supply-chain attack 'explicitly targeting' security, dev toolsThe Register Security · Apr 27, 2026
- Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 AttackThe Hacker News · Apr 27, 2026