Home / Vulnerability Intelligence / CVE-2026-2966

CVE-2026-2966 - Vulnerability Analysis

LowCVSS: 3.7

Last Updated: February 23, 2026

Cesanta Mongoose - Insufficient Randomness

Published: February 23, 2026Updated: February 23, 2026PoC AvailableRemote Exploitable

Overview

Cesanta Mongoose <= 7.20 contains an insufficient randomness vulnerability caused by manipulation of the "random" argument in mg_sendnsreq function of DNS Transaction ID Handler, letting remote attackers potentially predict DNS transaction IDs, exploit requires high complexity.

Severity & Score

Severity: Low

CVSS Score: 3.7

Impact

Attackers can predict DNS transaction IDs, potentially enabling DNS spoofing or cache poisoning attacks.

Mitigation

Update to the latest version when available.

References

https://github.com/dwBruijn/CVEs/blob/main/Mongoose/mg_sendnsreq.md
https://github.com/dwBruijn/CVEs/blob/main/Mongoose/mg_sendnsreq.md#poc
https://vuldb.com/?ctiid.347333
https://vuldb.com/?id.347333
https://vuldb.com/?submit.755304

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-2966
Severity: Low
CVSS Score: 3.7
Type: undefined
Status: confirmed

CWE

CWE-310

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N