VYPR

Vendor CVEs

Cesanta

All CVEs

137 total · sorted by risk
  • CVE-2017-2894CriNov 7, 2017
    risk 0.66cvss 9.8epss 0.31

    An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially…

  • CVE-2017-2922CriNov 7, 2017
    risk 0.64cvss 9.8epss 0.03

    An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which leads to a use-after-free vulnerability which can be…

  • CVE-2017-2921CriNov 7, 2017
    risk 0.64cvss 9.8epss 0.02

    An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote…

  • CVE-2017-2892CriNov 7, 2017
    risk 0.64cvss 9.8epss 0.02

    An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an arbitrary out-of-bounds memory read and write potentially resulting in information disclosure, denial of…

  • CVE-2017-2891CriNov 7, 2017
    risk 0.64cvss 9.8epss 0.03

    An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of previously freed pointer potentially resulting in remote code execution. An attacker needs to send…

  • CVE-2017-11567HigSep 7, 2017
    risk 0.61cvss 8.8epss 0.04

    Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code…

  • CVE-2017-2895HigNov 7, 2017
    risk 0.53cvss 8.2epss 0.01

    An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of…

  • CVE-2017-7185HigApr 10, 2017
    risk 0.53cvss 7.5epss 0.12

    Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data…

  • CVE-2017-2893HigNov 7, 2017
    risk 0.51cvss 7.5epss 0.27

    An exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to server crash and denial of service. An attacker needs to send a specially…

  • CVE-2024-35492HigMay 29, 2024
    risk 0.49cvss 7.5epss 0.01

    Cesanta Mongoose commit b316989 was discovered to contain a NULL pointer dereference via the scpy function at src/fmt.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MQTT packet.

  • CVE-2018-10945HigJun 19, 2018
    risk 0.49cvss 7.5epss 0.01

    The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.

  • CVE-2017-2909HigNov 7, 2017
    risk 0.49cvss 7.5epss 0.01

    An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this…

  • CVE-2026-5244HigApr 2, 2026
    risk 0.40cvss 7.3epss 0.01

    A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely.…

  • CVE-2025-0696MedJan 27, 2025
    risk 0.34cvss 5.3epss 0.00

    A NULL Pointer Dereference vulnerability in Cesanta Frozen versions less than 1.7 allows an attacker to induce a crash of the component embedding the library by supplying a maliciously crafted JSON as input.

  • CVE-2025-0695MedJan 27, 2025
    risk 0.34cvss 5.3epss 0.00

    An Allocation of Resources Without Limits or Throttling vulnerability in Cesanta Frozen versions less than 1.7 allows an attacker to induce a crash of the component embedding the library by supplying a maliciously crafted JSON as input.

  • CVE-2026-5246MedApr 2, 2026
    risk 0.29cvss 5.6epss 0.01

    A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely.…

  • CVE-2026-5245MedApr 2, 2026
    risk 0.29cvss 5.6epss 0.01

    A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the component mDNS Record Handler. Performing a manipulation of the argument buf results in stack-based buffer overflow. Remote exploitation of the…

  • CVE-2026-6985MedApr 25, 2026
    risk 0.27cvss 5.3epss 0.01

    A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be…

  • CVE-2026-2968LowFeb 23, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature.…

  • CVE-2026-2967LowFeb 23, 2026
    risk 0.24cvss 3.7epss 0.00

    A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The…

  • CVE-2026-2966LowFeb 23, 2026
    risk 0.24cvss 3.7epss 0.00

    A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The…

  • CVE-2023-30421LowApr 19, 2025
    risk 0.19cvss 2.9epss 0.00

    mystrtod in mjson 1.2.7 requires more than a billion iterations during processing of certain digit strings such as 8891110122900e913013935755114.

  • CVE-2026-6986LowApr 25, 2026
    risk 0.17cvss 3.7epss 0.00

    A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic…

  • CVE-2025-65502Nov 24, 2025
    risk 0.00cvss epss 0.00

    Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.

  • CVE-2024-42392Nov 18, 2024
    risk 0.00cvss epss 0.00

    Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the input string contains unexpected characters.

  • CVE-2024-42391Nov 18, 2024
    risk 0.00cvss epss 0.00

    Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

  • CVE-2024-42390Nov 18, 2024
    risk 0.00cvss epss 0.00

    Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

  • CVE-2024-42389Nov 18, 2024
    risk 0.00cvss epss 0.00

    Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

  • CVE-2024-42388Nov 18, 2024
    risk 0.00cvss epss 0.00

    Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

  • CVE-2024-42387Nov 18, 2024
    risk 0.00cvss epss 0.00

    Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

  • CVE-2024-42386Nov 18, 2024
    risk 0.00cvss epss 0.00

    Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.

  • CVE-2024-42385Nov 18, 2024
    risk 0.00cvss epss 0.00

    Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.

  • CVE-2024-42384Nov 18, 2024
    risk 0.00cvss epss 0.00

    Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.

  • CVE-2024-42383Nov 18, 2024
    risk 0.00cvss epss 0.00

    Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.

  • CVE-2024-35385May 21, 2024
    risk 0.00cvss epss 0.01

    An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_mk_ffi_sig function in the mjs.c file.

  • CVE-2024-35384May 21, 2024
    risk 0.00cvss epss 0.00

    An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file.

  • CVE-2024-35386May 21, 2024
    risk 0.00cvss epss 0.01

    An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_do_gc function in the mjs.c file.

  • CVE-2023-49550Jan 2, 2024
    risk 0.00cvss epss 0.01

    An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 component.

  • CVE-2023-49552Jan 2, 2024
    risk 0.00cvss epss 0.01

    An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_stringify function in the msj.c file.

  • CVE-2023-49551Jan 2, 2024
    risk 0.00cvss epss 0.01

    An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_parse function in the msj.c file.

  • CVE-2023-49553Jan 2, 2024
    risk 0.00cvss epss 0.01

    An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the msj.c file.

  • CVE-2023-49549Jan 2, 2024
    risk 0.00cvss epss 0.01

    An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos function in the msj.c file.

  • CVE-2023-50044Dec 20, 2023
    risk 0.00cvss epss 0.01

    Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string.

  • CVE-2023-43338Sep 22, 2023
    risk 0.00cvss epss 0.01

    Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input.

  • CVE-2023-2905Aug 9, 2023
    risk 0.00cvss epss 0.01

    Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version…

  • CVE-2023-34188Jun 23, 2023
    risk 0.00cvss epss 0.01

    The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other…

  • CVE-2023-34611Jun 14, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered mjson thru 1.4.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

  • CVE-2023-30087May 9, 2023
    risk 0.00cvss epss 0.00

    Buffer Overflow vulnerability found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_mk_string function in mjs.c.

  • CVE-2023-30088May 9, 2023
    risk 0.00cvss epss 0.00

    An issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_execute function in mjs.c.

  • CVE-2023-29570Apr 24, 2023
    risk 0.00cvss epss 0.00

    Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).

Page 1 of 3