GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
84 advisories
@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading
High
CVE-2026-41640
was published
for
@nocobase/database
(npm)
Apr 22, 2026
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call
High
CVE-2026-41641
was published
for
@nocobase/plugin-collection-sql
(npm)
Apr 22, 2026
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Critical
CVE-2026-41478
was published
for
@saltcorn/server
(npm)
Apr 16, 2026
@vendure/core has a SQL Injection vulnerability
Critical
CVE-2026-40887
was published
for
@vendure/core
(npm)
Apr 14, 2026
@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler
Low
GHSA-59xv-588h-2vmm
was published
for
@saltcorn/data
(npm)
Apr 10, 2026
Drizzle ORM has SQL injection via improperly escaped SQL identifiers
High
CVE-2026-39356
was published
for
drizzle-orm
(npm)
Apr 8, 2026
Payload has an SQL Injection via Query Handling
High
CVE-2026-34747
was published
for
payload
(npm)
Apr 1, 2026
MikroORM is vulnerable to SQL Injection via specially crafted object
Critical
CVE-2026-34220
was published
for
@mikro-orm/core
(npm)
Mar 29, 2026
n8n has SQL Injection in Data Table Node via orderByColumn Expression
High
CVE-2026-33713
was published
for
n8n
(npm)
Mar 26, 2026
n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
Critical
CVE-2026-33660
was published
for
n8n
(npm)
Mar 25, 2026
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
High
CVE-2026-33539
was published
for
parse-server
(npm)
Mar 24, 2026
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
High
CVE-2026-33468
was published
for
kysely
(npm)
Mar 20, 2026
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
High
CVE-2026-33442
was published
for
kysely
(npm)
Mar 20, 2026
OneUptime ClickHouse vulnerable to SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters
High
CVE-2026-33142
was published
for
oneuptime
(npm)
Mar 18, 2026
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
High
CVE-2026-32763
was published
for
kysely
(npm)
Mar 18, 2026
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Critical
CVE-2026-32306
was published
for
oneuptime
(npm)
Mar 13, 2026
Parse Server has a SQL injection via query field name when using PostgreSQL
Moderate
CVE-2026-32234
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Critical
CVE-2026-31871
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Critical
CVE-2026-31856
was published
for
parse-server
(npm)
Mar 11, 2026
Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type
High
CVE-2026-30951
was published
for
sequelize
(npm)
Mar 11, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
NocoDB Vulnerable to SQL Injection via DATEADD Formula
Moderate
CVE-2026-28399
was published
for
nocodb
(npm)
Mar 3, 2026
n8n has Potential Remote Code Execution via Merge Node
Critical
CVE-2026-27497
was published
for
n8n
(npm)
Feb 25, 2026
ProTip!
Advisories are also available from the
GraphQL API