Cesanta
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Cesanta product.
RSS Feeds for Cesanta security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Cesanta products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Cesanta Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 9 vulnerabilities in Cesanta with an average score of 5.1 out of ten. Last year, in 2025 Cesanta had 1 security vulnerability published. That is, 8 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.82.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 9 | 5.12 |
| 2025 | 1 | 4.30 |
| 2024 | 19 | 6.89 |
| 2023 | 11 | 7.06 |
| 2022 | 59 | 6.07 |
| 2021 | 15 | 9.28 |
| 2020 | 1 | 9.80 |
| 2019 | 8 | 0.00 |
| 2018 | 4 | 6.50 |
It may take a day or so for new Cesanta vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cesanta Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-6986 | Apr 25, 2026 |
Cesanta Mongoose <7.21: GCM Auth Tag Verification FailureA security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already. |
Mongoose
|
| CVE-2026-6985 | Apr 25, 2026 |
Cesanta Mongoose 7.20 TCP Option Handler Infinite LoopA weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already. |
Mongoose
|
| CVE-2026-5246 | Apr 02, 2026 |
Cesanta Mongoose <=7.20: P-384 PUB KEY handler RCE, auth bypassA vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. |
Mongoose
|
| CVE-2026-5245 | Apr 02, 2026 |
Cesanta Mongoose 7.20 mDNS Record Buffer Overflow (stack-based)A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the component mDNS Record Handler. Performing a manipulation of the argument buf results in stack-based buffer overflow. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been made public and could be used. Upgrading to version 7.21 will fix this issue. The patch is named 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. |
Mongoose
|
| CVE-2026-5244 | Apr 02, 2026 |
Cesanta Mongoose TLS 1.3 Handler Heap Overflow before 7.20 (Fixed in 7.21)A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. |
Mongoose
|
| CVE-2018-25193 | Mar 06, 2026 |
Mongoose Web Server 6.9 DoS via Multiple Socket ConnectionsMongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to crash the service by establishing multiple socket connections. Attackers can repeatedly create connections to the default port and send malformed data to exhaust server resources and cause service unavailability. |
Mongoose
|
| CVE-2026-2968 | Feb 23, 2026 |
Cesanta Mongoose <=7.20 Poly1305 Tag Handler Signature Verification BypassA vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Mongoose
|
| CVE-2026-2967 | Feb 23, 2026 |
Cesanta Mongoose <=7.20 TCPSN Handler Getpeer Remote Sequence Num BypassA security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Mongoose
|
| CVE-2026-2966 | Feb 23, 2026 |
Cesanta Mongoose7.20 DNS Txn ID Handler Randomness WeaknessA weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
Mongoose
|
| CVE-2025-65502 | Nov 24, 2025 |
Cesanta Mongoose <7.2 NOPTRD in add_ca_certs() TLS DoSNull pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL. |
Mongoose
|
| CVE-2024-42383 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Out-of-range Pointer Offset VulnerabilityUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field. |
Mongoose
|
| CVE-2024-42384 | Nov 18, 2024 |
Cesanta Mongoose Web Server v7.14 TLS Packet Handling Integer Overflow VulnerabilityInteger Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application. |
Mongoose
|
| CVE-2024-42385 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Improper Neutralization of Delimiters Leading to Out-of-Bounds Memory WImproper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters. |
Mongoose
|
| CVE-2024-42386 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset in TLS HandlingUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application. |
Mongoose
|
| CVE-2024-42387 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset VulnerabilityUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42388 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS HandlingUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42389 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset VulnerabilityUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42390 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS HandlingUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42391 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS HandlingUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42392 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Improper Neutralization of Delimiters Leading to Infinite LoopImproper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the input string contains unexpected characters. |
Mongoose
|
| CVE-2024-35492 | May 29, 2024 |
Cesanta Mongoose MQTT Null Pointer Deref in scpy (DoS)Cesanta Mongoose commit b316989 was discovered to contain a NULL pointer dereference via the scpy function at src/fmt.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MQTT packet. |
Mongoose
|
| CVE-2024-35384 | May 21, 2024 |
Cesanta mjs 2.20.0 Remote DoS via mjs_array_length in mjs.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file. |
Mjs
|
| CVE-2024-35385 | May 21, 2024 |
Cesanta mjs 2.20.0 DOS via mjs_mk_ffi_sig in mjs.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_mk_ffi_sig function in the mjs.c file. |
Mjs
|
| CVE-2024-35386 | May 21, 2024 |
Cesanta mjs 2.20.0 DoS via mjs_do_gcAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_do_gc function in the mjs.c file. |
Mjs
|
| CVE-2023-49549 | Jan 02, 2024 |
Cesanta mjs 2.20.0 DoS via mjs_getretvalpos in msj.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos function in the msj.c file. |
Mjs
|
| CVE-2023-49552 | Jan 02, 2024 |
OOB Write in Cesanta mjs 2.20.0 via mjs_op_json_stringifyAn Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_stringify function in the msj.c file. |
Mjs
|
| CVE-2023-49553 | Jan 02, 2024 |
Cesanta mjs 2.20.0 DoS via mjs_destroy in msj.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the msj.c file. |
Mjs
|
| CVE-2023-49550 | Jan 02, 2024 |
Remote DoS in Cesanta mjs 2.20.0 via mjs+0x4ec508 componentAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 component. |
Mjs
|
| CVE-2023-49551 | Jan 02, 2024 |
Cesanta mjs 2.20.0 Remote DoS via mjs_op_json_parse in msj.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_parse function in the msj.c file. |
Mjs
|
| CVE-2023-50044 | Dec 20, 2023 |
Cesanta MJS 2.20.0 OOB Read via getprop_builtin_foreignCesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string. |
Mjs
|
| CVE-2023-43338 | Sep 23, 2023 |
Cesanta mjs v2.20.0 - Function Pointer Hijack via mjs_get_ptr()Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input. |
Mjs
|
| CVE-2020-25887 | Aug 22, 2023 |
BUFOVF in Mongoose 6.18 mg_resolve_from_hosts_fileBuffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file. |
Mongoose
|
| CVE-2023-2905 | Aug 09, 2023 |
Cesanta Mongoose 7.10 Heap Overflow via MQTT Publish HeaderDue to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11. |
Mongoose
|
| CVE-2023-34188 | Jun 23, 2023 |
Mongoose <7.10 HTTP Server Nega Content-Length Infinite Loop DDoSThe HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests. |
Mongoose
|
| CVE-2023-30087 | May 09, 2023 |
Cesanta MJS v1.26 Buffer Overflow in mjs_mk_string causes DoSBuffer Overflow vulnerability found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_mk_string function in mjs.c. |
Mjs
|
| CVE-2023-30088 | May 09, 2023 |
Cesanta MJS 1.26 local DoS via mjs_executeAn issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_execute function in mjs.c. |
Mjs
|
| CVE-2023-29570 | Apr 24, 2023 |
Cesanta MJS 2.20.0 SEGV via mjs_ffi_cb_free leads to DoSCesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS). |
Mjs
|
| CVE-2023-29569 | Apr 14, 2023 |
Cesanta MJS <2.20.0 SEGV via ffi_cb_impl_wpwwwww DoSCesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ffi_cb_impl_wpwwwww at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS). |
Mjs
|
| CVE-2023-29571 | Apr 12, 2023 |
Cesanta MJS 2.20.0 SEGV DoS via gc_sweepCesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_sweep at src/mjs_gc.c. This vulnerability can lead to a Denial of Service (DoS). |
Mjs
|
| CVE-2021-36535 | Feb 03, 2023 |
CVE-2021-36535: Remote Buffer Overflow in Cesanta mJS 1.26 via crafted .jsBuffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjs_set_errorf. |
Mjs
|
| CVE-2021-33443 | Jul 26, 2022 |
Stack Buffer Overflow in mJS Restricted JS Engine (mjs_execute)An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in mjs_execute() in mjs.c. |
Mjs
|
| CVE-2021-33449 | Jul 26, 2022 |
NULL pointer deref in mJS_bcode_part_get_by_offset() (mJS engine)An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_part_get_by_offset() in mjs.c. |
Mjs
|
| CVE-2021-33448 | Jul 26, 2022 |
mJS Stack Buffer Overflow (CVE-2021-33448)An issue was discovered in mjs(mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow at 0x7fffe9049390. |
Mjs
|
| CVE-2021-33447 | Jul 26, 2022 |
NULL Pointer Deref in mJS Restricted JS Engine's mjs_print()An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_print() in mjs.c. |
Mjs
|
| CVE-2021-33446 | Jul 26, 2022 |
mJS Null Pointer Deref in mjs_next() - ES6 EngineAn issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c. |
Mjs
|
| CVE-2021-33445 | Jul 26, 2022 |
mJS NULL Pointer Dereference in mjs_string_char_code_at()An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_string_char_code_at() in mjs.c. |
Mjs
|
| CVE-2021-33444 | Jul 26, 2022 |
mJS NULL Pointer Deref. getprop_builtin_foreign() VulnerabilityAn issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in getprop_builtin_foreign() in mjs.c. |
Mjs
|
| CVE-2021-33438 | Jul 26, 2022 |
mJS Restricted JS Engine Stack Buffer Overflow (json_parse_array)An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in json_parse_array() in mjs.c. |
Mjs
|
| CVE-2021-33439 | Jul 26, 2022 |
mJS Integer Overflow in gc_compact_strings()An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is Integer overflow in gc_compact_strings() in mjs.c. |
Mjs
|
| CVE-2021-33442 | Jul 26, 2022 |
mJS Null Pointer Deref in json_printf()An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in json_printf() in mjs.c. |
Mjs
|