Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

761 advisories

Loading
Budibase has nonymous NoSQL operator injection via published-app query templates Critical
CVE-2026-54350 was published for @budibase/server (npm) Jun 23, 2026
kah-ja Credited to kah-ja
TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy (MySQL/MariaDB) Moderate
GHSA-9ggv-8w38-r7pm was published for typeorm (npm) Jun 19, 2026
budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL High
GHSA-qqf5-x7mj-v43p was published for budibase (npm) Jun 18, 2026
mhr-isham Credited to mhr-isham
LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector High
CVE-2026-55405 was published for dev.langchain4j:langchain4j-mariadb (Maven) Jun 17, 2026
v9d0g Credited to v9d0g and oscarpg oscarpg oscarpg
n8n: NoSQL Injection in MongoDB Node Find And Replace Operation Moderate
CVE-2026-54313 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes Moderate
CVE-2026-54310 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint Moderate
CVE-2026-46371 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint Moderate
CVE-2026-46370 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework High
CVE-2026-49741 was published for typo3/cms-core (Composer) Jun 12, 2026
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString Moderate
CVE-2026-47720 was published for fuxa-server (npm) Jun 8, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
NocoDB: SQL Injection via Column Title in Bulk GroupBy Moderate
CVE-2026-47384 was published for nocodb (npm) Jun 5, 2026
geo-chen Credited to geo-chen
NocoDB: Postgres SQL Injection in Formula `ARRAYSORT` Moderate
CVE-2026-47375 was published for nocodb (npm) Jun 5, 2026
leduckhuong Credited to leduckhuong
OpenMeter: SQL injection through meter creation Moderate
CVE-2026-8462 was published for github.com/openmeterio/openmeter (Go) Jun 4, 2026
stigmem-node's Postgres schema identifier handling required defensive quoting High
GHSA-9pc9-4crj-mhpj was published for stigmem-node (pip) May 29, 2026
AgenticMail API/storage and outbound relay hardening fixes High
CVE-2026-47255 was published for @agenticmail/api (npm) May 29, 2026
ezsystems/ezpublish-legacy has a SQL injection in dfscleanup High
CVE-2026-38739 was published for ezsystems/ezpublish-legacy (Composer) May 29, 2026
Goaterino Credited to Goaterino
Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save High
CVE-2026-5394 was published for pimcore/pimcore (Composer) May 28, 2026
researchatfluidattacks Credited to researchatfluidattacks
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix Moderate
CVE-2026-45073 was published for symfony/cache (Composer) May 27, 2026
FORIMOC Credited to FORIMOC and nicolas-grekas nicolas-grekas nicolas-grekas
Langroid has Prompt to SQL Injection, Leading to RCE Critical
CVE-2026-25879 was published for langroid (pip) May 27, 2026
Ka7arotto Credited to Ka7arotto
Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter High
CVE-2026-44741 was published for pimcore/admin-ui-classic-bundle (Composer) May 27, 2026
tikket1 Credited to tikket1
Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration High
CVE-2026-44739 was published for pimcore/pimcore (Composer) May 27, 2026
msayedZiko Credited to msayedZiko
YesWiki: Unauthenticated SQL Injection Critical
CVE-2026-46670 was published for yeswiki/yeswiki (Composer) May 22, 2026
SamyGhannad Credited to SamyGhannad
Drupal Core has a SQL Injection issue Critical
CVE-2026-9082 was published for drupal/core (Composer) May 20, 2026
Rudloff Credited to Rudloff and orbegam orbegam orbegam
BillaBear is Vulnerable to SQL Injection in the EventRepository High
CVE-2026-31069 was published for billabear/billabear (Composer) May 19, 2026
georgringer/news has SQL Injection in extension "News system" (news) High
CVE-2026-8726 was published for georgringer/news (Composer) May 19, 2026
eliashaeussler Credited to eliashaeussler and RobertLang RobertLang RobertLang
ProTip! Advisories are also available from the GraphQL API