CVE-2026-1101 Improper Validation of Specified Quantity in Input in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries...

CVE-2026-33756

CVE-2026-33756 affects Saleor (e-commerce platform). The vulnerability lies in unbounded GraphQL query batching: from 2.0.0 up to just before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the service allowed multiple GraphQL operations in a single HTTP request without an upper limit, bypassing per-qu...

PT-2026-31539

Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.2 through 18.8.9, 18.9 through 18.9.5, and 18.10 through 18.10.3 Description The issue involves improper input validation in GraphQL queries, potentially allowing an authenticated user to cause a denial of service to the...

CVE-2026-35441

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

PT-2026-30330

Name of the Vulnerable Software and Affected Versions Directus affected versions not specified Description When GRAPHQL INTROSPECTION=false is configured, Directus blocks standard GraphQL introspection queries but the /graphql/system endpoint's server specs graphql resolver returns an equivalent...

CVE-2026-34604 @tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed conten...

CVE-2026-33949

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...

CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

EUVD-2026-17500

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

CVE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This...

CVE-2026-3988

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in...

CVE-2026-33290

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user including a custom role with zero capabilities to change moderation status of their own comment for example to APPROVE without the...

CVE-2026-21886 OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

CVE-2026-1069

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...

GHSA-CMJ3-WX7H-FFVG Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Impact An unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. Patches The vulnerabili...

CVE-2026-31800 Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API rout...

PT-2026-24424

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.2 Parse Server versions prior to 8.6.15 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to resource exhaustion. An unauthenticated attacker can...

Missing Authorization

craftcms/cms is vulnerable to Missing Authorization. The vulnerability is due to missing authorization checks in the GraphQL @parseRefs directive, which allows an attacker to access sensitive attributes of CMS elements without proper permissions...

CVE-2026-30241 Mercurius: queryDepth limit bypassed for WebSocket subscriptions

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are...

CVE-2025-9572

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass...