Main Vulnerability Database SB2026061624

SB2026061624 - MongoDB Enterprise Advanced with IBM update for plexus-utils

Published: June 16, 2026

Security Bulletin ID SB2026061624

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2025-67030)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to write arbitrary files.

The vulnerability exists due to path traversal in the extractFile function when extracting archive entries with traversal sequences or absolute paths. A remote attacker can supply a specially crafted archive to write arbitrary files.

If a written file is later used as an executable or configuration file, this may lead to code execution in the context of the current working user.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7276493