Lucene search
+L

229 matches found

EUVD
EUVD
added yesterday5 views

EUVD-2026-45031

remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported...

7.1CVSS6.2AI score
Exploits0References4
CVE
CVE
added 2026/07/08 9:8 p.m.9 views

CVE-2026-35211

OpenCTI exposes a script filter operator in the GraphQL FilterOperator enum prior to version 7.260401.0. An authenticated user with the KNOWLEDGE capability can pass user-supplied Elasticsearch Painless script values directly into search queries without validation, enabling potentially expensive ...

6.5CVSS6AI score0.0037EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/07/08 8:46 p.m.89 views

CVE-2026-6352

GitLab EE contains an authorization flaw in GraphQL operations that could allow an authenticated user with auditor-level access to modify compliance violation records. Affected versions include all 18.2-era releases before 18.11.7, all 19.0-era releases before 19.0.4, and all 19.1-era releases be...

2.7CVSS6AI score0.00264EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/07/08 1:27 p.m.15 views

CVE-2026-44840

CVE-2026-44840 (Dgraph) : The vulnerability is in the GraphQL path for checkUserPassword, where user-supplied password values are interpolated into a DQL query via fmt.Sprintf without escaping or parameterization. This allows a specially crafted password (e.g., containing a ".") to break the DQL ...

7.5CVSS6.1AI score0.00484EPSS
Exploits0References3
OSV
OSV
added 2026/07/07 3:26 p.m.9 views

GO-2026-5837 Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query in github.com/dgraph-io/dgraph

Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query in github.com/dgraph-io/dgraph...

7.5CVSS5.9AI score0.00484EPSS
Exploits0References3
NVD
NVD
added 2026/07/06 9:16 a.m.18 views

CVE-2026-9165

A flaw was found in Red Hat Advanced Cluster Security for Kubernetes RHACS. Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central...

7.7CVSS0.00319EPSS
Exploits0References5
CVE
CVE
added 2026/07/06 8:46 a.m.22 views

CVE-2026-9165

Summary : A flaw in Red Hat Advanced Cluster Security for Kubernetes (RHACS) Central allows unbounded GraphQL query depth on the authenticated GraphQL API, enabling a token-authenticated user to issue deeply nested queries that exhaust resources and cause a denial of service to the management pla...

7.7CVSS5.9AI score0.00319EPSS
Exploits0References5
CVE
CVE
added 2026/06/29 5:21 p.m.16 views

CVE-2026-57954

Vulnerability summary (CVE-2026-57954) Elide 7.1.17 has a flaw in SortingImpl.getValidSortingRules where @ReadPermission is not enforced on client-supplied sort expressions. This allows attackers to sort collections by forbidden fields and infer hidden field values via row ordering analysis, leak...

5.3CVSS5.8AI score0.00168EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 5:21 p.m.4 views

CVE-2026-57954 Elide 7.1.17 - Permission Bypass in Sort Expression Validation

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across...

5.3CVSS6AI score0.00168EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.10 views

PT-2026-53672

Name of the Vulnerable Software and Affected Versions Elide versions prior to 7.1.18 Description Insufficient enforcement of @ReadPermission within the getValidSortingRules function of SortingImpl allows attackers to use forbidden fields in client-supplied sort expressions. By analyzing the...

5.3CVSS5.9AI score0.00168EPSS
Exploits0References6
OSV
OSV
added 2026/06/24 9:36 p.m.3 views

CVE-2026-55455 Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils used by the REST API and GraphQL datasource plugins validates hosts against an exact-match string denylist. The comprehensive address-class check...

5.3CVSS6AI score0.0022EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50547

Today I received a public security credit for a vulnerability I responsibly disclosed: CVE-2026-54683 – Improper authorization in NL Portal The vulnerability allowed any authenticated portal user to download documents belonging to other users when they had access to a valid document identifier. A...

6.5CVSS5.2AI score
Exploits0References7
OSV
OSV
added 2026/06/16 12:40 p.m.5 views

BIT-PARSE-2026-47248 Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-err...

6.9CVSS5.2AI score0.00291EPSS
Exploits0References4
NVD
NVD
added 2026/06/12 7:16 p.m.14 views

CVE-2026-47248

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL...

6.9CVSS0.00291EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/12 6:21 p.m.11 views

EUVD-2026-36534

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL...

6.9CVSS5.2AI score0.00291EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/06/12 2:16 p.m.94 views

Exploit for Authorization Bypass Through User-Controlled Key in Saleor

CVE-2026-24136 - Saleor GraphQL IDOR / Unauthenticated PII Exf...

8.7CVSS5.5AI score0.00364EPSS
Exploits1
EUVD
EUVD
added 2026/06/06 12:31 a.m.15 views

EUVD-2026-34917

A server-side request forgery SSRF vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation ...

8.3CVSS5.3AI score0.00226EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/05 8:51 p.m.8 views

CVE-2026-11424 Server-Side Request Forgery in Altium Platform Design GraphQL Service Allows Information Disclosure

A server-side request forgery SSRF vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation ...

8.3CVSS5.3AI score0.00226EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:48 p.m.11 views

CVE-2026-10802

A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attac...

5.3CVSS5.2AI score0.0031EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:42 p.m.13 views

CVE-2025-3922

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient...

6.5CVSS5.5AI score0.00402EPSS
Exploits0References1
Rows per page
Query Builder