Overview · walinejs/waline · GitHub

Security

No security policy detected

This project has not set up a SECURITY.md file yet.

Report a vulnerability

NoSQL injection in the login endpoint (POST /api/token): a non-string email is silently dropped by the MongoDB storage adapter, producing a match-all filter so the password is verified against the first-registered user (the administrator) — a partial authentication bypass
GHSA-jf75-q64q-g65r published Jun 12, 2026 by lizheming

Moderate

Learn more about advisories related to walinejs/waline in the GitHub Advisory Database