ArangoDB - 6 CVEs (Page 1/1)

About “ArangoDB”

A curated feed of “ArangoDB”-related CVEs appears below. We currently track 6 CVEs for this tag (all time). In the last 365 days, 2 were published. Average CVSS is 6.5 (all time; 5.8 over 365d), and 33% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In our taxonomy this topic maps to a MODERATE impact class. Databases, proxies, and web servers often need coordinated restarts and config checks. Patch only modules you deploy, verify TLS and authentication, and tune limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: arangodb

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL
3.12	2024-03-21	3.12.9.2	-
3.11	2023-05-23	3.11.14.4	-
3.10	2022-09-29	3.10.14	2024-04-15 Expired
3.9	2022-02-07	3.9.12	2023-09-15 Expired
3.8	2021-07-14	3.8.9	2023-04-30 Expired
3.7	2020-04-10	3.7.18	2022-05-31 Expired
3.6	2019-12-30	3.6.16	2021-08-31 Expired
3.5	2019-08-14	3.5.7	2020-12-31 Expired
3.4	2018-12-05	3.4.11	2020-06-21 Expired
3.3	2017-12-14	3.3.25	2020-02-29 Expired
3.2	2017-07-19	3.2.18	2019-03-31 Expired
3.1	2016-11-02	3.1.29	- Expired
3.0	2016-06-22	3.0.12	- Expired
2.8	2016-01-25	2.8.11	2018-06-15 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS (expired) · ICS

Subscribe CVEs: RSS for “ArangoDB” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-05-04

Medium

CVE-2026-7715

A vulnerability has been found in ravenwits mcp-server-arangodb up to 0.4.7. This affects the function arango_backup of the file src/tools.ts of the component MCP Interface. Such manipulation of the…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

2026-02-15

Medium

CVE-2019-25367

ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attacke…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2022-09-08

Critical

CVE-2022-36084

cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate…

CVSS: 9.9 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD

2022-02-09

Low

CVE-2021-25939

In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests pe…

CVSS: 2.7 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD

2021-11-16

High

CVE-2021-25940

In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malici…

CVSS: 8.8 CWE: CWE-613 - Insufficient Session Expiration View on NVD

2021-05-24

Medium

CVE-2021-25938

In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD