Remote code execution in mongo-express
mongo-express offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
Advisories for Npm/Mongodb-Query-Parser package
2021
2020
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in mongodb-query-parser.