GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
14 advisories
Parse Server has a bypass of class-level permissions in LiveQuery
High
CVE-2026-30947
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
High
CVE-2026-30948
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server missing audience validation in Keycloak authentication adapter
High
CVE-2026-30949
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server has a protected fields bypass via dot-notation in query and sort
High
CVE-2026-31872
was published
for
parse-server
(npm)
Mar 11, 2026
StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
High
CVE-2026-32101
was published
for
@studiocms/s3-storage
(npm)
Mar 12, 2026
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")
High
CVE-2026-32308
was published
for
oneuptime
(npm)
Mar 13, 2026
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()
High
CVE-2026-33418
was published
for
@dicebear/converter
(npm)
Mar 20, 2026
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
High
CVE-2026-33468
was published
for
kysely
(npm)
Mar 20, 2026
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
High
CVE-2026-33442
was published
for
kysely
(npm)
Mar 20, 2026
Parse Server exposes auth data via verify password endpoint
High
CVE-2026-34215
was published
for
parse-server
(npm)
Mar 29, 2026
Parse Server has an auth provider validation bypass on login via partial authData
High
CVE-2026-33409
was published
for
parse-server
(npm)
Mar 19, 2026
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
High
CVE-2026-33421
was published
for
parse-server
(npm)
Mar 20, 2026
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
High
CVE-2026-34603
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
High
CVE-2026-34604
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
ProTip!
Advisories are also available from the
GraphQL API