JavaScript is a high-level, interpreted programming language essential for creating interactive web applications, running directly in web browsers to enable dynamic content and user interface enhancements. It is integral to the web development stack, working seamlessly with HTML and CSS to build responsive and feature-rich websites.

JavaScript

### Impact
An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions.
### Patches
The fix adds optimistic locking to the authData login path, ensuring that concurrent database updates for the same user fail when the original MFA token array has already been modified by another request.
### Workarounds
There is no known workaround.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-34220	CRITICAL	9.3	JavaScript	@mikro-orm/core	No	Yes	Mar 29, 2026
CVE-2026-34221	HIGH	8.3	JavaScript	@mikro-orm/core	No	Yes	Mar 29, 2026
GHSA-7fqq-q52p-2jjg	MEDIUM	6.5	JavaScript	opencc	No	Yes	Mar 29, 2026
CVE-2026-34224	LOW	2.1	JavaScript	parse-server	No	Yes	Mar 29, 2026
GHSA-53p3-c7vp-4mcc	LOW	2.1	JavaScript	action_text-trix	No	Yes	Mar 29, 2026

CVE-2026-34224:
JavaScript vulnerability analysis and mitigation

Impact

Patches

Workarounds

2.1

Related JavaScript vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2026-34224: JavaScript vulnerability analysis and mitigation