CVE-2025-1110

GitLab CE/EE vulnerability CVE-2025-1110 affects all versions 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query due to insufficient access control granularity. The issue is documented across multiple sources (NVD, OSV) ...

CVE-2025-1110

Removed by vendor...

CVE-2019-1010304

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated...

CVE-2019-1020015

graphql-engine aka Hasura GraphQL Engine before 1.0.0-beta.3 mishandles the audience check while verifying JWT...

CVE-2019-15576

An information disclosure vulnerability exists in GitLab CE/EE...

GitLab 18.0 < 18.0.1 (CVE-2025-1110)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query...

PT-2025-22482 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 18.0 through 18.0.0 Description: An issue has been discovered in GitLab CE/EE where a user with limited permissions could access Job Data via a crafted GraphQL query in certain circumstances. Recommendations: For GitLab...

GraphQL Import Success

GraphQL schema file was successfully imported and can be used during the scan. No source data...

GraphQL Import Failed

GraphQL schema file could not be imported and cannot be used during the scan. No source data...

CVE-2025-46720

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

graphql-ruby: Remote code execution when loading a crafted GraphQL schema

A flaw was found in graphql-ruby. In affected versions of graphq-ruby, loading a malicious schema definition in the GraphQL::Schema.fromintrospection or the GraphQL::Schema::Loader.load can cause remote code execution. Any system that loads a schema by JSON from an untrusted source is vulnerable,...

CVE-2025-46720

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

CVE-2025-46720 Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

Denial Of Service (DoS)

github.com/mattermost/mattermost-server is vulnerable to Denial Of Service DoS. The vulnerability is due to missing validation of uniqueness and quantity of task actions in the UpdateRunTaskActions GraphQL operation, allowing attackers to overload the server by submitting excessive actions...

Restriction Bypass

@escape.tech/graphql-armor-cost-limit is vulnerable to Restriction bypass. The vulnerability is due to the default enabling of the ignoreIntrospection setting in GraphQL servers, which fails to enforce query cost restrictions when a query or fragment is named schema, allows attackers to bypass co...

CVE-2025-32354

In Zimbra Collaboration ZCS 9.0 through 10.1, a Cross-Site Request Forgery CSRF vulnerability exists in the GraphQL endpoint /service/extension/graphql of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying...

CVE-2025-32354

In Zimbra Collaboration ZCS 9.0 through 10.1, a Cross-Site Request Forgery CSRF vulnerability exists in the GraphQL endpoint /service/extension/graphql of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying...

CVE-2025-32354

In Zimbra Collaboration ZCS 9.0 through 10.1, a Cross-Site Request Forgery CSRF vulnerability exists in the GraphQL endpoint /service/extension/graphql of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying...

Security Bulletin: IBM FileNet Content Manager GraphQL Cross-site request forgery security vulnerability

Summary IBM FileNet Content Manager in GraphQL, there is a Cross-site request forgery security vulnerability. Vulnerability Details CVEID:CVE-2020-4745 DESCRIPTION: IBM FileNet Content Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and...

CVE-2025-32354

CVE-2025-32354 (Zimbra Collaboration) affects ZCS 9.0–10.1. A CSRF flaw in the GraphQL endpoint (/service/extension/graphql) due to missing CSRF token validation allows an authenticated user to trigger unauthorized GraphQL operations (e.g., modify contacts, change settings, access sensitive data)...