Lucene search
K

158 matches found

Cvelist
Cvelist
added 2026/03/31 2:38 p.m.23 views

CVE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This...

5.3CVSS0.00202EPSS
Exploits0References5
NVD
NVD
added 2026/03/25 5:17 p.m.3 views

CVE-2026-3988

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in...

7.5CVSS0.00478EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/23 11:58 p.m.4 views

CVE-2026-33290

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user including a custom role with zero capabilities to change moderation status of their own comment for example to APPROVE without the...

4.3CVSS5.8AI score0.00177EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/03/17 3:26 p.m.27 views

CVE-2026-21886 OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

6.5CVSS0.00227EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/11 4:5 p.m.5 views

CVE-2026-1069

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...

7.5CVSS5.8AI score0.00398EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/11 12:16 a.m.4 views

GHSA-CMJ3-WX7H-FFVG Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Impact An unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. Patches The vulnerabili...

8.7CVSS5.8AI score0.00562EPSS
Exploits0References5
OSV
OSV
added 2026/03/10 8:51 p.m.4 views

CVE-2026-31800 Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API rout...

8.8CVSS5.8AI score0.00335EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.9 views

PT-2026-24424

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.2 Parse Server versions prior to 8.6.15 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to resource exhaustion. An unauthenticated attacker can...

8.7CVSS5.7AI score0.00562EPSS
Exploits0References10
Veracode
Veracode
added 2026/03/07 5:11 a.m.4 views

Missing Authorization

craftcms/cms is vulnerable to Missing Authorization. The vulnerability is due to missing authorization checks in the GraphQL @parseRefs directive, which allows an attacker to access sensitive attributes of CMS elements without proper permissions...

8.7CVSS5.9AI score0.00447EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/06 9:15 p.m.4 views

CVE-2026-30241 Mercurius: queryDepth limit bypassed for WebSocket subscriptions

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are...

6.9CVSS5.8AI score0.00362EPSS
Exploits0References4
NVD
NVD
added 2026/02/27 8:17 a.m.18 views

CVE-2025-9572

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass...

6.5CVSS0.00348EPSS
Exploits0References7
OSV
OSV
added 2026/02/27 8:17 a.m.2 views

UBUNTU-CVE-2025-9572

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass...

6.5CVSS5.8AI score0.00348EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/27 7:28 a.m.7 views

CVE-2025-9572

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass...

6.5CVSS5.9AI score0.00348EPSS
Exploits0References8Affected Software1
CNNVD
CNNVD
added 2026/02/26 12:0 a.m.9 views

Hoppscotch 安全漏洞

Hoppscotch is an open-source API development ecosystem developed by Hoppscotch. Versions of Hoppscotch prior to 2026.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization checks in the userCollection GraphQL queries, which could lead to insecure dire...

6.5CVSS5.8AI score0.00369EPSS
Exploits1References2
OSV
OSV
added 2026/02/16 4:28 p.m.5 views

BIT-GITLAB-2025-14592 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API...

5.3CVSS5.6AI score0.00254EPSS
Exploits0References4
CVE
CVE
added 2026/02/12 4:22 p.m.50 views

CVE-2025-55210

CVE-2025-55210 affects FreePBX PBX API (module api) prior to 17.0.5 and 16.0.17. The issue allows privilege escalation for authenticated users with REST/GraphQL API access by forging a valid JWT signed with the api-oauth.key private key and arbitrary scopes. The token will be accepted only if its...

7.5CVSS5.6AI score0.00296EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/02/12 4:22 p.m.9 views

CVE-2025-55210 FreePBX API has a Privilege Escalation Error in GraphQL Allowing Authenticated Users to Access Additional Scopes

FreePBX is an open-source web-based graphical user interface GUI that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api PBX API is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT wit...

2CVSS5.6AI score0.00296EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/02/12 12:0 a.m.7 views

PT-2026-7859

FreePBX is an open-source web-based graphical user interface GUI that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api PBX API is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT wit...

2CVSS5.6AI score0.00296EPSS
Exploits0References5
OSV
OSV
added 2026/02/11 12:16 p.m.4 views

UBUNTU-CVE-2025-14592

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API...

5.3CVSS5.8AI score0.00254EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/11 11:35 a.m.5 views

CVE-2025-8099

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries...

7.5CVSS5.5AI score0.004EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder