- Package:
- src:php-mongodb
- Source:
- src:php-mongodb
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-05-16 09:09:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for php-mongodb. CVE-2026-6811[0]: | Stack exhaustion vulnerability in the MongoDB PHP driver can cause | application crashes when processing deeply nested BSON documents in | unusual circumstances when the source of these BSON documents is not | MongoDB Server. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-6811 https://www.cve.org/CVERecord?id=CVE-2026-6811 [1] https://jira.mongodb.org/browse/PHPC-2636 [2] https://github.com/mongodb/mongo-php-driver/commit/2060beb85a041182550d022ec223783ffdaf6ec8 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
I feel this is one these “security” issues that don’t deserve fixing: This feels like Curriculum Vitae Enhancement and not real security issue as this reads “are you parsing data from untrusted sources”? Ondrej -- Ondřej Surý (He/Him) A gentle nudge is always appreciated if I take a little longer to reply.
Hi Ondřej, Ack, so let's mark it no-dsa for older series and just fix it in unstable/forky once it enters with the new upstream version? Apparently the CVE itself was assigned by the MongoDB CNA itself, so they apparently did still consider it with security impact. Thanks a lot for this quick comment, much appreciated! Salvatore