Cesanta
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Cesanta product.
RSS Feeds for Cesanta security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Cesanta products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Cesanta Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 4 vulnerabilities in Cesanta with an average score of 4.7 out of ten. Last year, in 2025 Cesanta had 1 security vulnerability published. That is, 3 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.35.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 4 | 4.65 |
| 2025 | 1 | 4.30 |
| 2024 | 19 | 6.89 |
| 2023 | 11 | 7.06 |
| 2022 | 59 | 6.07 |
| 2021 | 15 | 9.28 |
| 2020 | 1 | 9.80 |
| 2019 | 8 | 0.00 |
| 2018 | 4 | 6.50 |
It may take a day or so for new Cesanta vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cesanta Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2018-25193 | Mar 06, 2026 |
Mongoose Web Server 6.9 DoS via Multiple Socket ConnectionsMongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to crash the service by establishing multiple socket connections. Attackers can repeatedly create connections to the default port and send malformed data to exhaust server resources and cause service unavailability. |
Mongoose
|
| CVE-2026-2968 | Feb 23, 2026 |
Cesanta Mongoose <=7.20 Poly1305 Tag Handler Signature Verification BypassA vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Mongoose
|
| CVE-2026-2967 | Feb 23, 2026 |
Cesanta Mongoose <=7.20 TCPSN Handler Getpeer Remote Sequence Num BypassA security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Mongoose
|
| CVE-2026-2966 | Feb 23, 2026 |
Cesanta Mongoose7.20 DNS Txn ID Handler Randomness WeaknessA weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
Mongoose
|
| CVE-2025-65502 | Nov 24, 2025 |
Cesanta Mongoose <7.2 NOPTRD in add_ca_certs() TLS DoSNull pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL. |
Mongoose
|
| CVE-2024-42383 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Out-of-range Pointer Offset VulnerabilityUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field. |
Mongoose
|
| CVE-2024-42384 | Nov 18, 2024 |
Cesanta Mongoose Web Server v7.14 TLS Packet Handling Integer Overflow VulnerabilityInteger Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application. |
Mongoose
|
| CVE-2024-42385 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Improper Neutralization of Delimiters Leading to Out-of-Bounds Memory WImproper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters. |
Mongoose
|
| CVE-2024-42386 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset in TLS HandlingUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application. |
Mongoose
|
| CVE-2024-42387 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset VulnerabilityUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42388 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS HandlingUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42389 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset VulnerabilityUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42390 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS HandlingUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42391 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS HandlingUse of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space. |
Mongoose
|
| CVE-2024-42392 | Nov 18, 2024 |
Cesanta Mongoose Web Server: Improper Neutralization of Delimiters Leading to Infinite LoopImproper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the input string contains unexpected characters. |
Mongoose
|
| CVE-2024-35492 | May 29, 2024 |
Cesanta Mongoose MQTT Null Pointer Deref in scpy (DoS)Cesanta Mongoose commit b316989 was discovered to contain a NULL pointer dereference via the scpy function at src/fmt.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MQTT packet. |
Mongoose
|
| CVE-2024-35384 | May 21, 2024 |
Cesanta mjs 2.20.0 Remote DoS via mjs_array_length in mjs.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file. |
Mjs
|
| CVE-2024-35385 | May 21, 2024 |
Cesanta mjs 2.20.0 DOS via mjs_mk_ffi_sig in mjs.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_mk_ffi_sig function in the mjs.c file. |
Mjs
|
| CVE-2024-35386 | May 21, 2024 |
Cesanta mjs 2.20.0 DoS via mjs_do_gcAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_do_gc function in the mjs.c file. |
Mjs
|
| CVE-2023-49549 | Jan 02, 2024 |
Cesanta mjs 2.20.0 DoS via mjs_getretvalpos in msj.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos function in the msj.c file. |
Mjs
|
| CVE-2023-49552 | Jan 02, 2024 |
OOB Write in Cesanta mjs 2.20.0 via mjs_op_json_stringifyAn Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_stringify function in the msj.c file. |
Mjs
|
| CVE-2023-49553 | Jan 02, 2024 |
Cesanta mjs 2.20.0 DoS via mjs_destroy in msj.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the msj.c file. |
Mjs
|
| CVE-2023-49550 | Jan 02, 2024 |
Remote DoS in Cesanta mjs 2.20.0 via mjs+0x4ec508 componentAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 component. |
Mjs
|
| CVE-2023-49551 | Jan 02, 2024 |
Cesanta mjs 2.20.0 Remote DoS via mjs_op_json_parse in msj.cAn issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_parse function in the msj.c file. |
Mjs
|
| CVE-2023-50044 | Dec 20, 2023 |
Cesanta MJS 2.20.0 OOB Read via getprop_builtin_foreignCesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string. |
Mjs
|
| CVE-2023-43338 | Sep 23, 2023 |
Cesanta mjs v2.20.0 - Function Pointer Hijack via mjs_get_ptr()Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input. |
Mjs
|
| CVE-2020-25887 | Aug 22, 2023 |
BUFOVF in Mongoose 6.18 mg_resolve_from_hosts_fileBuffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file. |
Mongoose
|
| CVE-2023-2905 | Aug 09, 2023 |
Cesanta Mongoose 7.10 Heap Overflow via MQTT Publish HeaderDue to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11. |
Mongoose
|
| CVE-2023-34188 | Jun 23, 2023 |
Mongoose <7.10 HTTP Server Nega Content-Length Infinite Loop DDoSThe HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests. |
Mongoose
|
| CVE-2023-30087 | May 09, 2023 |
Cesanta MJS v1.26 Buffer Overflow in mjs_mk_string causes DoSBuffer Overflow vulnerability found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_mk_string function in mjs.c. |
Mjs
|
| CVE-2023-30088 | May 09, 2023 |
Cesanta MJS 1.26 local DoS via mjs_executeAn issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_execute function in mjs.c. |
Mjs
|
| CVE-2023-29570 | Apr 24, 2023 |
Cesanta MJS 2.20.0 SEGV via mjs_ffi_cb_free leads to DoSCesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS). |
Mjs
|
| CVE-2023-29569 | Apr 14, 2023 |
Cesanta MJS <2.20.0 SEGV via ffi_cb_impl_wpwwwww DoSCesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ffi_cb_impl_wpwwwww at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS). |
Mjs
|
| CVE-2023-29571 | Apr 12, 2023 |
Cesanta MJS 2.20.0 SEGV DoS via gc_sweepCesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_sweep at src/mjs_gc.c. This vulnerability can lead to a Denial of Service (DoS). |
Mjs
|
| CVE-2021-36535 | Feb 03, 2023 |
CVE-2021-36535: Remote Buffer Overflow in Cesanta mJS 1.26 via crafted .jsBuffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjs_set_errorf. |
Mjs
|
| CVE-2021-33446 | Jul 26, 2022 |
mJS Null Pointer Deref in mjs_next() - ES6 EngineAn issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c. |
Mjs
|
| CVE-2021-33449 | Jul 26, 2022 |
NULL pointer deref in mJS_bcode_part_get_by_offset() (mJS engine)An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_part_get_by_offset() in mjs.c. |
Mjs
|
| CVE-2021-33448 | Jul 26, 2022 |
mJS Stack Buffer Overflow (CVE-2021-33448)An issue was discovered in mjs(mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow at 0x7fffe9049390. |
Mjs
|
| CVE-2021-33447 | Jul 26, 2022 |
NULL Pointer Deref in mJS Restricted JS Engine's mjs_print()An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_print() in mjs.c. |
Mjs
|
| CVE-2021-33445 | Jul 26, 2022 |
mJS NULL Pointer Dereference in mjs_string_char_code_at()An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_string_char_code_at() in mjs.c. |
Mjs
|
| CVE-2021-33444 | Jul 26, 2022 |
mJS NULL Pointer Deref. getprop_builtin_foreign() VulnerabilityAn issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in getprop_builtin_foreign() in mjs.c. |
Mjs
|
| CVE-2021-33443 | Jul 26, 2022 |
Stack Buffer Overflow in mJS Restricted JS Engine (mjs_execute)An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in mjs_execute() in mjs.c. |
Mjs
|
| CVE-2021-33441 | Jul 26, 2022 |
mJS NULL ptr deref in exec_expr() ES6 EngineAn issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in exec_expr() in mjs.c. |
Mjs
|
| CVE-2021-33437 | Jul 26, 2022 |
Memory leak in frozen_cb() of mJS (Restricted JS Engine)An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There are memory leaks in frozen_cb() in mjs.c. |
Mjs
|
| CVE-2021-33438 | Jul 26, 2022 |
mJS Restricted JS Engine Stack Buffer Overflow (json_parse_array)An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in json_parse_array() in mjs.c. |
Mjs
|
| CVE-2021-33439 | Jul 26, 2022 |
mJS Integer Overflow in gc_compact_strings()An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is Integer overflow in gc_compact_strings() in mjs.c. |
Mjs
|
| CVE-2021-33440 | Jul 26, 2022 |
mJS NULL pointer deref in mjs_bcode_commitAn issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_commit() in mjs.c. |
Mjs
|
| CVE-2021-33442 | Jul 26, 2022 |
mJS Null Pointer Deref in json_printf()An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in json_printf() in mjs.c. |
Mjs
|
| CVE-2021-27425 | May 03, 2022 |
Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_mallocCesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. |
Mongoose Os
|
| CVE-2022-25299 | Feb 18, 2022 |
This affects the package cesanta/mongoose before 7.6This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder. |
Mongoose
|