GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
14 advisories
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
High
CVE-2026-34604
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
High
CVE-2026-34603
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
Parse Server exposes auth data via verify password endpoint
High
CVE-2026-34215
was published
for
parse-server
(npm)
Mar 29, 2026
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
High
CVE-2026-33468
was published
for
kysely
(npm)
Mar 20, 2026
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
High
CVE-2026-33442
was published
for
kysely
(npm)
Mar 20, 2026
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
High
CVE-2026-33421
was published
for
parse-server
(npm)
Mar 20, 2026
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()
High
CVE-2026-33418
was published
for
@dicebear/converter
(npm)
Mar 20, 2026
Parse Server has an auth provider validation bypass on login via partial authData
High
CVE-2026-33409
was published
for
parse-server
(npm)
Mar 19, 2026
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")
High
CVE-2026-32308
was published
for
oneuptime
(npm)
Mar 13, 2026
StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
High
CVE-2026-32101
was published
for
@studiocms/s3-storage
(npm)
Mar 12, 2026
Parse Server has a protected fields bypass via dot-notation in query and sort
High
CVE-2026-31872
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server missing audience validation in Keycloak authentication adapter
High
CVE-2026-30949
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
High
CVE-2026-30948
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server has a bypass of class-level permissions in LiveQuery
High
CVE-2026-30947
was published
for
parse-server
(npm)
Mar 11, 2026
ProTip!
Advisories are also available from the
GraphQL API