Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

100 advisories

Loading
Budibase has nonymous NoSQL operator injection via published-app query templates Critical
CVE-2026-54350 was published for @budibase/server (npm) Jun 23, 2026
kah-ja Credited to kah-ja
TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy (MySQL/MariaDB) Moderate
GHSA-9ggv-8w38-r7pm was published for typeorm (npm) Jun 19, 2026
budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL High
GHSA-qqf5-x7mj-v43p was published for budibase (npm) Jun 18, 2026
mhr-isham Credited to mhr-isham
n8n: NoSQL Injection in MongoDB Node Find And Replace Operation Moderate
CVE-2026-54313 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes Moderate
CVE-2026-54310 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString Moderate
CVE-2026-47720 was published for fuxa-server (npm) Jun 8, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
NocoDB: SQL Injection via Column Title in Bulk GroupBy Moderate
CVE-2026-47384 was published for nocodb (npm) Jun 5, 2026
geo-chen Credited to geo-chen
NocoDB: Postgres SQL Injection in Formula `ARRAYSORT` Moderate
CVE-2026-47375 was published for nocodb (npm) Jun 5, 2026
leduckhuong Credited to leduckhuong
AgenticMail API/storage and outbound relay hardening fixes High
CVE-2026-47255 was published for @agenticmail/api (npm) May 29, 2026
n8n Has a Source Control Pull SQL Injection High
CVE-2026-44792 was published for n8n (npm) May 14, 2026
sm1ee Credited to sm1ee
Strapi Vulnerable to SQL Injection in Content Type Builder Critical
CVE-2026-22599 was published for @strapi/content-type-builder (npm) May 13, 2026
whiteov3rflow Credited to whiteov3rflow, derrickmehaffy, and markkaylor derrickmehaffy derrickmehaffy
markkaylor markkaylor
StarPlatinu Credited to StarPlatinu and igalklebanov igalklebanov igalklebanov
MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys High
CVE-2026-44680 was published for @mikro-orm/knex (npm) May 8, 2026
n8n has SQL Injection in SeaTable Node Moderate
CVE-2026-42229 was published for n8n (npm) Apr 29, 2026
sm1ee Credited to sm1ee
n8n has SQL Injection in Oracle Database Node via Limit Field Moderate
CVE-2026-42233 was published for n8n (npm) Apr 29, 2026
pawbednarz Credited to pawbednarz
n8n has SQL Injection in Snowflake and MySQL Nodes Moderate
CVE-2026-42237 was published for n8n (npm) Apr 29, 2026
offensiveee Credited to offensiveee
@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading High
CVE-2026-41640 was published for @nocobase/database (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call High
CVE-2026-41641 was published for @nocobase/plugin-collection-sql (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) Critical
CVE-2026-41478 was published for @saltcorn/server (npm) Apr 16, 2026
QiaoNPC Credited to QiaoNPC
@vendure/core has a SQL Injection vulnerability Critical
CVE-2026-40887 was published for @vendure/core (npm) Apr 14, 2026
jacobfrantz1 Credited to jacobfrantz1
@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler Low
GHSA-59xv-588h-2vmm was published for @saltcorn/data (npm) Apr 10, 2026
zulloper Credited to zulloper
Drizzle ORM has SQL injection via improperly escaped SQL identifiers High
CVE-2026-39356 was published for drizzle-orm (npm) Apr 8, 2026
EthanKim88 Credited to EthanKim88 and 0x90sh 0x90sh 0x90sh
NocoBase Has SQL Injection via template variable substitution in workflow SQL node High
CVE-2026-34825 was published for @nocobase/plugin-workflow-sql (npm) Apr 1, 2026
CE2Sec Credited to CE2Sec
Payload has an SQL Injection via Query Handling High
CVE-2026-34747 was published for payload (npm) Apr 1, 2026
hessandrew Credited to hessandrew and arkmarta arkmarta arkmarta
MikroORM is vulnerable to SQL Injection via specially crafted object Critical
CVE-2026-34220 was published for @mikro-orm/core (npm) Mar 29, 2026
lukas-eu Credited to lukas-eu
ProTip! Advisories are also available from the GraphQL API