PT-2026-31347

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an...

saleor 安全漏洞

Saleor is an open-source interface software developed by Saleor Commerce. Vulnerabilities exist in versions of Saleor from 2.0.0 to 3.23.0a3, as well as versions before 3.22.47, 3.21.54, and 3.20.118. These vulnerabilities stem from the possibility for malicious actors to include multiple GraphQL...

saleor 安全漏洞

Saleor is an open-source interface software developed by Saleor Commerce. Versions of Saleor prior to 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 contain security vulnerabilities. These vulnerabilities stem from the lack of a limit on the number of GraphQL batch operations, which may lead to resourc...

GitLab 18.2 < 18.8.9 / 18.9 < 18.9.5 / 18.10 < 18.10.3 (CVE-2026-1101)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial o...

GitLab 安全漏洞

GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD continuous integration and delivery. There were security vulnerabilities in versions prior to GitLab 18.8.9,...

Gitlab -- vulnerabilities

Gitlab reports: Exposed Method issue in websocket connections impacts GitLab CE/EE Denial of Service issue in Terraform state lock API impacts GitLab CE/EE Denial of Service issue in GraphQL API impacts GitLab CE/EE Denial of Service issue in CSV import impacts GitLab CE/EE Denial of Service issu...

CVE-2026-35441

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

CVE-2026-35413

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint...

PYSEC-2026-133

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

CVE-2026-35523

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

agent-evaluator (=0.7.8), airo-camera-toolkit (>=2025.4.0 <=2026.5.0) +79 more potentially affected by CVE-2026-35523 via strawberry-graphql (>=0.202.1 <=0.312.0)

strawberry-graphql PYPI version =0.202.1, =2025.4.0, =2025.4.0, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.33, =0.9.0, =25.13.0, =0.41.0, =1.2.0, =0.1.0a1, =0.1.0a10 and more Source cves: CVE-2026-35523 Source advisory: OSV:PYSEC-2026-133...

PYSEC-2026-133

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

PYSEC-2026-134

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

agent-evaluator (=0.7.8), airo-camera-toolkit (>=2025.4.0 <=2026.5.0) +79 more potentially affected by CVE-2026-35526 via strawberry-graphql (>=0.202.1 <=0.312.0)

strawberry-graphql PYPI version =0.202.1, =2025.4.0, =2025.4.0, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.33, =0.9.0, =25.13.0, =0.41.0, =1.2.0, =0.1.0a1, =0.1.0a10 and more Source cves: CVE-2026-35526 Source advisory: OSV:PYSEC-2026-134...

PYSEC-2026-134

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

CVE-2026-35523

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

CVE-2026-35523 Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

CVE-2026-35523

CVE-2026-35523 affects Strawberry GraphQL up to version 0.312.3, where the legacy graphql-ws WebSocket subprotocol may bypass authentication on WebSocket subscription endpoints. The root cause is that the graphql-ws handshake (connection_init) is not verified before processing start/subscription ...

CVE-2026-35523 Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

CVE-2026-35526

CVE-2026-35526 concerns the Strawberry GraphQL library. Before version 0.312.3, the WebSocket subscription handlers for both graphql-transport-ws and legacy graphql-ws allocate an asyncio.Task and an associated Operation for every incoming subscribe message without enforcing a limit on active sub...