GitLab 18.5 < 18.8.7 / 18.9 < 18.9.3 / 18.10 < 18.10.1 (CVE-2026-3988)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a...

Gitlab -- vulnerabilities

Gitlab reports: Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE HTML Injection in vulnerability report impacts GitLab EE Denial of Service issue in GraphQL API impacts GitLab CE/EE Improper...

PT-2026-28063

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.10 through 18.8.6 GitLab CE/EE versions 18.9 through 18.9.2 GitLab CE/EE versions 18.10 through 18.10.0 Description An issue exists in GitLab CE/EE that could allow an unauthenticated user to execute arbitrary GraphQL...

WordPress plugin WPGraphQL 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There wa...

PT-2026-27271

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user including a custom role with zero capabilities to change moderation status of their own comment for example to APPROVE without the...

BIT-PARSE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.114.0 <=0.120.0), ai.ancf.lmos:arc-runner (>=0.114.0 <=0.120.0) +1424 more potentially affected by CVE-2026-22735 via org.springframework:spring-webflux (>=6.2.0 <=6.2.16)

org.springframework:spring-webflux MAVEN version =6.2.0, =0.114.0, =0.114.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.6 - ai.telosforge:kimaira-util-webclient =1.2.6 and more Source cves: CVE-2026-22735 Source advisory:...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.114.0 <=0.120.0), ai.ancf.lmos:arc-runner (>=0.114.0 <=0.120.0) +1424 more potentially affected by CVE-2026-22737 via org.springframework:spring-webflux (>=6.2.0 <=6.2.16)

org.springframework:spring-webflux MAVEN version =6.2.0, =0.114.0, =0.114.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.6 - ai.telosforge:kimaira-util-webclient =1.2.6 and more Source cves: CVE-2026-22737 Source advisory:...

CVE-2026-21886

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

PYSEC-2026-117

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

CVE-2026-21886

OpenCTI CVE-2026-21886 describes a validation gap in the GraphQL mutation IndividualDeletionDeleteMutation that could let a user delete unrelated or sensitive objects (e.g., analyses, reports) due to lack of contextual checks. Affected software: OpenCTI prior to version 6.9.1. Root cause: API mut...

CVE-2026-21886 OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

CVE-2026-21886 OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

OpenCTI 安全漏洞

OpenCTI is an open-source network threat intelligence platform developed by OpenCTI. Versions of OpenCTI prior to 6.9.1 contained security vulnerabilities. These vulnerabilities were due to a flaw in GraphQL mutations that lacked validation, which could lead to the deletion of irrelevant and...

CVE-2026-32594

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...

Malicious Package

Overview graphql-request-dom is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in graphql-request-dom (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 12e85257ce18204d98a8a6181fa40a75d7feb91477b98f6b86ba89223a9f4e51 The package graphql-request-dom was found to contain malicious code. Source: ghsa-malware...

MAL-2026-1444 Malicious code in graphql-request-dom (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 12e85257ce18204d98a8a6181fa40a75d7feb91477b98f6b86ba89223a9f4e51 The package graphql-request-dom was found to contain malicious code. Source: ghsa-malware...

Parse Server 访问控制错误漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were access control vulnerability issues in versions of Parse Server prior to 8.6.40 and 9.6.0-alpha.14. This vulnerability stemmed from the GraphQL...

Malicious code in typescript-type-graphql (npm)

The package 'typescript-type-graphql' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...