PT-2025-24712 · Erxes · Erxes

Name of the Vulnerable Software and Affected Versions: Erxes versions prior to 1.6.2 Description: The issue allows an authenticated attacker to write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler. Recommendations: For...

PT-2025-24820 · Erxes · Erxes

Name of the Vulnerable Software and Affected Versions: Erxes versions prior to 1.6.1 Description: The issue is related to Incorrect Access Control, allowing an attacker to bypass authentication. This can be achieved by providing a "User" HTTP header with any user, enabling access to any GraphQL...

erxes 安全漏洞

erxes is an open source Hubspot/Qualtrics alternative to erxes open source. Enabling SaaS providers and digital marketing agencies/developers to create unique experiences for their entire business. A security vulnerability exists in erxes versions prior to 1.6.2, which stems from a path traversal...

CVE-2024-57189

In Erxes 1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler...

erxes 安全漏洞

erxes is an open source Hubspot/Qualtrics alternative to erxes open source. Enabling SaaS providers and digital marketing agencies/developers to create unique experiences for their entire business. A security vulnerability exists in versions prior to erxes 1.6.1 that stems from improper access...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

CVE-2024-57190

Affected software: Erxes prior to 1.6.1. Vulnerability: Incorrect Access Control enabling authentication bypass by sending a User header containing any user, allowing access to any GraphQL endpoint. Root cause: improper validation of the User header leading to auth bypass. Impact: high confidenti...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

OSV-2025-436 Security exception in graphql.parser.GraphqlAntlrToLanguage.createNonNullType

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=422217211 Crash type: Security exception Crash state: graphql.parser.GraphqlAntlrToLanguage.createNonNullType graphql.parser.GraphqlAntlrToLanguage.createType graphql.parser.GraphqlAntlrToLanguage.createListType...

PT-2025-33603 · Git · Graphql-Java

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=422217211 Crash type: Security exception Crash state: graphql.parser.GraphqlAntlrToLanguage.createNonNullType graphql.parser.GraphqlAntlrToLanguage.createType graphql.parser.GraphqlAntlrToLanguage.createListType...

GraphQL Alias Overloading Enabled

GraphQL is an open-source query and manipulation language for APIs. GraphQL alias overloading is a vulnerability where an attacker sends queries with numerous aliased fields to cause server performance degradation. The server must process each alias separately, which can lead to excessive CPU...

GraphQL Query Length Not Limited

GraphQL is an open-source query and manipulation language for APIs. When a GraphQL API does not enforce limits on query length or complexity, attackers can submit extremely large and complex queries that consume excessive server resources, potentially causing denial of service conditions. No sour...

GraphQL Debug Mode Enabled

GraphQL is an open-source query and manipulation language for APIs. When GraphQL is run in a 'debug mode' it can leak information about the underlying web applications. No source data...

BIT-GITLAB-2025-1110 Insufficient Granularity of Access Control in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query...

CVE-2025-22151

Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations Django, SQLAlchemy, Pydantic. The vulnerability occurs when multiple...

CVE-2024-47082

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable ...

CVE-2024-4006

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions...

CVE-2024-1066

An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL vulnerabilitiesCountByDay...

CVE-2024-5430

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL...

CVE-2024-47401

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...