This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution, server-side request forgery, or cause denial of service without authentication. The mongo-express image contains multiple critical vulnerabilities (e.g., CVE-2020-24391, CVE-2021-3918) that are directly reachable over the network. While some vulnerabilities like CVE-2020-7699 require enabling a non-default option, the majority are exploitable by default.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2020-24391 | CRITICAL10 | mongodb-query-parser 1.4.3 fixed in 2.0.0 | 75.1% Actively Exploited | Directly ExposedContext importance: HIGH |
| CVE-2024-29415 | CRITICAL9.8 | ip 1.1.5 No fix yet | 8.3% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2023-42282 | CRITICAL9.8 | ip 1.1.5 fixed in 2.0.1, 1.1.9 | 1.6% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2021-3918 | CRITICAL9.8 | json-schema 0.2.3 fixed in 0.4.0 | 3.6% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2019-10769 | CRITICAL9.8 | safer-eval 1.3.6 No fix yet | 2.6% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2022-38900 | HIGH8.62 | decode-uri-component 0.2.0 fixed in 0.2.1 | 24.7% High Exploitation Risk | Directly ExposedContext importance: HIGH |
| CVE-2022-24999 | HIGH8.62 | qs 6.5.2 fixed in 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 | 14.7% High Exploitation Risk | Directly ExposedContext importance: HIGH |
| CVE-2022-24999 | HIGH8.62 | qs 6.7.0 fixed in 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 | 14.7% High Exploitation Risk | Directly ExposedContext importance: HIGH |
| CVE-2020-7610 | HIGH7.84 | bson 1.0.9 fixed in 1.1.4 | 2.2% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2020-7699 | HIGH7.84 | express-fileupload 0.4.0 fixed in 1.1.9 | 4.7% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-4800 | HIGH7.84 | lodash 4.17.21 fixed in 4.18.0 | 1.0% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2023-26136 | HIGH7.84 | tough-cookie 2.4.3 fixed in 4.1.3 | 2.1% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2021-3807 | HIGH7.5 | ansi-regex 3.0.0 fixed in 6.0.1, 5.0.1, 4.1.1, 3.0.1 | 3.3% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2021-3807 | HIGH7.5 | ansi-regex 4.1.0 fixed in 6.0.1, 5.0.1, 4.1.1, 3.0.1 | 3.3% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2024-4068 | HIGH7.5 | braces 3.0.2 fixed in 3.0.3 | 1.5% Low-Moderate Risk | Directly Exposed |
| CVE-2022-24434 | HIGH7.5 | dicer 0.2.5 No fix yet | 3.0% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2022-27261 | HIGH7.5 | express-fileupload 0.4.0 No fix yet | 1.3% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2022-25881 | HIGH7.5 | http-cache-semantics 3.8.1 fixed in 4.1.1 | 1.6% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2022-3517 | HIGH7.5 | minimatch 3.0.4 fixed in 3.0.5 | 1.7% Low-Moderate Risk | Directly Exposed |
| CVE-2022-31129 | HIGH7.5 | moment 2.29.1 fixed in 2.29.4 | 3.9% Low-Moderate Risk | Directly Exposed |
| CVE-2023-25345 | HIGH7.5 | swig-templates 2.0.3 No fix yet | 1.0% Low-Moderate Risk | Directly Exposed |
| CVE-2020-8203 | HIGH7.4 | lodash.set 4.3.2 No fix yet | 5.2% Low-Moderate Risk | Directly Exposed |
| CVE-2020-8116 | HIGH7.3 | dot-prop 3.0.0 fixed in 4.2.1, 5.1.1 | 3.0% Low-Moderate Risk | Directly Exposed |
| CVE-2026-44705 | MEDIUM6.97 | tmp 0.0.33 fixed in 0.2.6 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-69873 | MEDIUM6.38 | ajv 6.12.6 fixed in 8.18.0, 6.14.0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2024-45590 | MEDIUM6.38 | body-parser 1.19.0 fixed in 1.20.3 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-33750 | MEDIUM6.38 | brace-expansion 1.1.11 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-26996 | MEDIUM6.38 | minimatch 3.0.4 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2021-23372 | MEDIUM6.38 | mongo-express 0.54.0 No fix yet | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2025-15284 | MEDIUM6.38 | qs 6.5.2 fixed in 6.14.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-15284 | MEDIUM6.38 | qs 6.7.0 fixed in 6.14.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-2391 | MEDIUM6.38 | qs 6.7.0 fixed in 6.14.2 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-41907 | MEDIUM6.38 | uuid 2.0.3 fixed in 11.1.1, 12.0.1, 13.0.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41907 | MEDIUM6.38 | uuid 3.3.3 fixed in 11.1.1, 12.0.1, 13.0.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2021-21422 | MEDIUM6.1 | mongo-express 0.54.0 fixed in 1.0.0-alpha.4 | 1.6% Low-Moderate Risk | Directly Exposed |
| CVE-2022-24785 | MEDIUM6 | moment 2.29.1 fixed in 2.29.2 | 5.4% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2022-25883 | MEDIUM6 | semver 5.7.1 fixed in 7.5.2, 6.3.1, 5.7.2 | 2.5% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2020-7598 | MEDIUM5.6 | minimist 0.0.10 fixed in 0.2.1, 1.2.3 | 1.9% Low-Moderate Risk | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 3.0.4 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-33671 | MEDIUM5.52 | picomatch 2.3.0 fixed in 4.0.4, 3.0.2, 2.3.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-7783 | MEDIUM5.4 | form-data 2.3.2 fixed in 2.5.4, 3.0.4, 4.0.4 | 1.6% Low-Moderate Risk | Directly Exposed |
| CVE-2022-33987 | MEDIUM5.3 | got 5.7.1 fixed in 12.1.0, 11.8.5 | 1.9% Low-Moderate Risk | Directly Exposed |
| CVE-2022-33987 | MEDIUM5.3 | got 6.7.1 fixed in 12.1.0, 11.8.5 | 1.9% Low-Moderate Risk | Directly Exposed |
| CVE-2024-4067 | MEDIUM5.3 | micromatch 4.0.4 fixed in 4.0.8 | 1.4% Low-Moderate Risk | Directly Exposed |
| CVE-2024-29041 | MEDIUM5.18 | express 4.17.1 fixed in 4.19.2, 5.0.0-beta.3 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2023-28155 | MEDIUM5.18 | request 2.88.0 No fix yet | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 3.0.4 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-27088 | MEDIUM4.67 | es5-ext 0.10.53 fixed in 0.10.63 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2019-2391 | MEDIUM4.59 | bson 1.0.9 fixed in 1.1.4 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2024-47178 | MEDIUM4.5 | basic-auth-connect 1.0.0 fixed in 1.1.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-13465 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.17.23 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-2950 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.18.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2024-45296 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2024-52798 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 0.1.12 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-4867 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 0.1.13 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-33672 | MEDIUM4.5 | picomatch 2.3.0 fixed in 4.0.4, 3.0.2, 2.3.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-54798 | MEDIUM4.5 | tmp 0.0.33 fixed in 0.2.4 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2021-42383 | MEDIUM4.32 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.1% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42384 | MEDIUM4.32 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42385 | MEDIUM4.32 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42386 | MEDIUM4.32 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42383 | MEDIUM4.32 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.1% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42384 | MEDIUM4.32 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42385 | MEDIUM4.32 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42386 | MEDIUM4.32 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2026-24842 | MEDIUM4.18 | tar 4.4.19 fixed in 7.5.7 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2022-37434 | MEDIUM4.06 | zlib 1.2.11-r3 fixed in 1.2.11-r4 | 15.9% High Exploitation Risk | Post-Exploit |
| CVE-2024-43796 | MEDIUM4 | express 4.17.1 fixed in 4.20.0, 5.0.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-43799 | MEDIUM4 | send 0.17.1 fixed in 0.19.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-43800 | MEDIUM4 | serve-static 1.14.1 fixed in 1.16.0, 2.1.0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2024-21538 | LOW3.74 | cross-spawn 5.1.0 fixed in 7.0.5, 6.0.6 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2024-21538 | LOW3.74 | cross-spawn 6.0.5 fixed in 7.0.5, 6.0.6 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2024-21538 | LOW3.74 | cross-spawn 7.0.3 fixed in 7.0.5, 6.0.6 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-26960 | LOW3.62 | tar 4.4.19 fixed in 7.5.8 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2021-44906 | LOW3.53 | minimist 0.0.10 fixed in 1.2.6, 0.2.4 | 4.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-44906 | LOW3.53 | minimist 1.2.5 fixed in 1.2.6, 0.2.4 | 4.6% Low-Moderate Risk | Post-Exploit |
| CVE-2024-28863 | LOW3.31 | tar 4.4.19 fixed in 6.2.1 | 0.9% Theoretical Threat | Post-Exploit |
| CVE-2026-29786 | LOW3.21 | tar 4.4.19 fixed in 7.5.10 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2024-47764 | LOW3.15 | cookie 0.3.1 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2024-47764 | LOW3.15 | cookie 0.4.0 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2024-47764 | LOW3.15 | cookie 0.4.1 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-23745 | LOW3.11 | tar 4.4.19 fixed in 7.5.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-23950 | LOW3.01 | tar 4.4.19 fixed in 7.5.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2025-7339 | LOW2.89 | on-headers 1.0.2 fixed in 1.1.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2021-43138 | LOW2.81 | async 3.2.1 fixed in 3.2.2, 2.6.4 | 3.4% Low-Moderate Risk | Post-Exploit |
| CVE-2026-31802 | LOW2.8 | tar 4.4.19 fixed in 7.5.11 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2021-42374 | LOW2.7 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2021-42374 | LOW2.7 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2025-5889 | LOW2.63 | brace-expansion 1.1.11 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2021-42378 | LOW2.59 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42379 | LOW2.59 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42380 | LOW2.59 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.9% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42381 | LOW2.59 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42382 | LOW2.59 | busybox 1.31.1-r10 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42378 | LOW2.59 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42379 | LOW2.59 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42380 | LOW2.59 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.9% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42381 | LOW2.59 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42382 | LOW2.59 | ssl_client 1.31.1-r10 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| GHSA-q3w9-g74q-vp5f | NONE0 | express-fileupload 0.4.0 fixed in 1.1.6-alpha.6 | — | Not Applicable |
| CVE-2026-12143 | NONE0 | form-data 2.3.2 fixed in 2.5.6, 3.0.5, 4.0.6 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2023-52555 | NONE0 | mongo-express 0.54.0 No fix yet | 0.2% Theoretical Threat | Not Applicable |
| GHSA-mh5c-679w-hh4r | NONE0 | mongodb 2.2.24 fixed in 3.1.13 | — | Not Applicable |
| GHSA-97mg-3cr6-3x4c | NONE0 | mongodb-query-parser 1.4.3 fixed in 2.0.0 | — | Not Applicable |
| GHSA-876r-hj45-fw7g | NONE0 | safer-eval 1.3.6 No fix yet | — | Not Applicable |
| CVE-2026-53655 | NONE0 | tar 4.4.19 fixed in 7.5.16 | — | Not Applicable |