EUVD-2025-111328

Malicious code in meissa-alphard-xanadu-graphql npm...

EUVD-2025-113115

Malicious code in graphql-chai-schema-elara npm...

This Week in Spring - November 10th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this I am preparing for a flight to North Carolina first in flight!. This week's going to be busy, but next week even busier still! I'll be at AI By The Bay in San Francisco, AI Native Dev Con in NYC, and QCon SF i...

PT-2025-45526

Name of the Vulnerable Software and Affected Versions SuiteCRM versions 8.6.0 through 8.9.0 Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions 8.6.0 through 8.9.0 are susceptible to an authenticated, blind time-based...

CVE-2025-11447

CVE-2025-11447 affects GitLab CE/EE with DoS risk from unauthenticated GraphQL requests carrying crafted JSON payloads. Affected versions include 11.0–18.3.5, 18.4 prior to 18.4.3, and 18.5 prior to 18.5.1. Remediation has been issued; updates to GitLab 18.5.1 (and later) address the issue. Explo...

CVE-2025-11447 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads...

CVE-2025-11447 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads...

BIT-GITLAB-2025-10004 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs...

CVE-2025-10004

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs...

CVE-2025-61601 BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation

BigBlueButton is an open-source virtual classroom. A Denial of Service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's Choices response type. By submitting a malicious payload with a massive array in...

CVE-2025-61601 BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation

BigBlueButton is an open-source virtual classroom. A Denial of Service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's Choices response type. By submitting a malicious payload with a massive array in...

CVE-2025-10004 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs...

CVE-2025-11340 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scope...

API Attack Awareness: Injection Attacks in APIs – Old Threat, New Surface

Injection attacks are among the oldest tricks in the attacker playbook. And yet they persist. The problem is that the core weakness, trusting user inputs too much, keeps resurfacing in new forms. As organizations have shifted to API-driven architectures and integrated AI systems that consume...

EUVD-2025-29175

Malicious code in bioql PyPI...

EUVD-2025-31326

Malicious code in bioql PyPI...

EUVD-2025-29425

Malicious code in bioql PyPI...

BIT-GITLAB-2025-10867 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests...

CVE-2025-59845

CVE-2025-59845 covers a CSRF flaw in Apollo Studio Embeddable Sandbox and Embeddable Explorer caused by missing origin validation in window.postMessage handling. The issue affects embedded Sandbox/Explorer prior to versions 2.7.2 and 3.7.3, allowing a malicious site to forge messages that trigger...

CVE-2025-10867

CVE-2025-10867 affects GitLab CE/EE and can allow an authenticated user to cause a denial-of-service by repeatedly hitting an unprotected GraphQL API. Affected versions are GitLab 18.1 up to but not including 18.2.7, 18.3 up to but not including 18.3.3, and 18.4 up to but not including 18.4.1. Th...