Malicious code in @redhat-cloud-services/remediations-client (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

CVE-2026-44224

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without...

wiki.js 安全漏洞

Wiki.js is a Wiki application open-sourced by requarks.io. Versions of Wiki.js prior to 2.5.313 contained a security vulnerability. This vulnerability stemmed from the GraphQL mutation in users.update, which accepted an arbitrary groups array and applied it directly to the database without...

EUVD-2026-24086

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess function where GraphQL mutation input fields are passed directly to shellexec without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL...

CVE-2026-40520

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess function where GraphQL mutation input fields are passed directly to shellexec without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL...

PT-2026-33931

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess function where GraphQL mutation input fields are passed directly to shell exec without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL...

CVE-2026-21886

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

PYSEC-2026-117

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

CVE-2026-21886

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

CVE-2026-21886 OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation

I observed a recent commit intended to mitigate Server-Side Request Forgery SSRF vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation,...

Server-side Request Forgery (SSRF)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in handleUpload, which is exploitable via the saveimagesAsset mutation in the GraphQL API. An attacker can retrieve sensitive internal resources, such as AWS...

Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Summary - The saveimagesAsset graphql mutation allows a user to give a url of an image to download. Url must use a domain, not a raw IP. - Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 special AWS metadata IP - Attacker invokes saveimagesAsset with url...

CVE-2026-25494

Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 are affected by a vulnerability in the saveAsset GraphQL mutation, where filter_var(..., FILTER_VALIDATE_IP) blocks a defined IP list but fails to recognize hexadecimal or mixed notations, allowing bypass of the blocklist t...

CVE-2026-25493 Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypa...

CVE-2026-25492 Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

CVE-2026-25492 Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. There were security vulnerabilities in versions of Craft CMS from 4.0.0-RC1 up to 4.17.0-beta.1, as well as in version 5.9.0-beta.1. These vulnerabilities stemmed from improper authorization validation in the saveAsset...

PT-2026-7144

Name of the Vulnerable Software and Affected Versions Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21 Description The saveAsset GraphQL mutation in Craft does not properly validate IP addresses used to access cloud metadata services. The application uses filter...

CVE-2021-22209

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed...