I feel this is one these “security” issues that don’t deserve fixing:
> in unusual circumstances when the source of these BSON documents is not > MongoDB Server. This feels like Curriculum Vitae Enhancement and not real security issue as this reads “are you parsing data from untrusted sources”? Ondrej -- Ondřej Surý (He/Him) A gentle nudge is always appreciated if I take a little longer to reply. > On 16. 5. 2026, at 9:17, Salvatore Bonaccorso <[email protected]> wrote: > > Source: php-mongodb > Version: 2.1.0-1 > Severity: important > Tags: security upstream > Forwarded: https://jira.mongodb.org/browse/PHPC-2636 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for php-mongodb. > > CVE-2026-6811[0]: > | Stack exhaustion vulnerability in the MongoDB PHP driver can cause > | application crashes when processing deeply nested BSON documents in > | unusual circumstances when the source of these BSON documents is not > | MongoDB Server. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-6811 > https://www.cve.org/CVERecord?id=CVE-2026-6811 > [1] https://jira.mongodb.org/browse/PHPC-2636 > [2] > https://github.com/mongodb/mongo-php-driver/commit/2060beb85a041182550d022ec223783ffdaf6ec8 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
