SurrealDB vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-49997Mediumsurrealdb: SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deletedGHSA-FWG2-GR34-Q3W8Mediumsurrealdb: SurrealDB: ES512 silently downgraded to ES384 due to jsonwebtoken crate limitationGHSA-C8JX-96C9-8XRPMediumsurrealdb: SurrealDB: Field-level SELECT permissions bypassed via indexed COUNT fast pathsGHSA-WP87-MGVQ-5J93Mediumsurrealdb: SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorizationGHSA-97VG-427P-8HX5Mediumsurrealdb: SurrealDB: Port-specific --deny-net rules silently bypassed on HTTP redirectGHSA-6WQW-VHFR-9999Mediumsurrealdb: SurrealDB: Authenticated subscribers can read records hidden by SELECT permissions via LIVE subscriptionsGHSA-F82J-V89J-MF86Mediumsurrealdb: SurrealDB: `RELATE` overwrites existing edge records without `UPDATE` permissionGHSA-FPXG-5XMV-922MMediumsurrealdb: SurrealDB has bypass of field-level SELECT permissions through JSON Patch `copy` and `move` with empty `from`GHSA-6G9V-7GQ3-P2C6Mediumsurrealdb: SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messagesGHSA-4M82-P8CX-F94JMediumsurrealdb: SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controlsGHSA-65RJ-R9FH-JP2VMediumsurrealdb: SurrealDB vulnerable to pre-auth memory amplification via unbounded `/sql` WebSocket framesGHSA-GCWR-5MRF-FVCHMediumsurrealdb: SurrealDB: Authorization Bypass in KILL Statement Allows Termination of Other Users' Live QueriesGHSA-4V76-CW68-4VC9Mediumsurrealdb: SurrealDB: Crafting malicious LIVE queries writes to the database, resulting in DoS, without permission to the table requiredGHSA-6VG3-HGRW-P5GFMediumsurrealdb: SurrealDB has an Authorization Bypass via Composite Record-id PathsGHSA-VJJX-RFW4-RMFCMediumsurrealdb: SurrealDB: Graph traversal bypasses table SELECT permissionsGHSA-98FX-66CF-FC7CMediumsurrealdb: SurrealDB: Scraping a TABLE with no available PERMISSIONS to current auth levelGHSA-Q8QP-67F9-WR3FMediumsurrealdb: SurrealDB vulnerable to Denial of Service due to nested types annotationsGHSA-WJJJ-24CX-F28GHighsurrealdb: SurrealDB has unauthenticated remote DoS via malformed RPC `use` callGHSA-Q729-696Q-G9PQHighsurrealdb: SurrealDB has Denial of Service in JSON parser due to nested objectsGHSA-4VGR-H27G-CF9PHighsurrealdb: SurrealDB: HTTP RPC Session Race Condition Allows Privilege EscalationGHSA-5QFP-32CF-69JHHighsurrealdb: SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callersGHSA-JV2J-MQMW-XVV5Mediumsurrealdb: SurrealDB: Denial of Service via deep operator chainsGHSA-HV6H-HC26-Q48PMediumsurrealdb: SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversalsGHSA-H4H3-3RFJ-X6FQMediumsurrealdb: SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted fieldGHSA-CC8F-FCX3-GPJRHighsurrealdb: SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter

Stop the waste.
Protect your environment with Kodem.