3125 matches found
MAL-2026-1540 Malicious code in typescript-type-graphql (npm)
The package 'typescript-type-graphql' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...
EUVD-2026-11707
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...
Prototype Pollution
Overview @apollo/gateway is a library exporting utility functions. Affected versions of this package are vulnerable to Prototype Pollution through incomplete sanitization of input in the query plan execution. An attacker can manipulate the Object.prototype in the gateway by crafting operations wi...
Prototype Pollution
Overview @apollo/query-planner is an Apollo Query Planner Affected versions of this package are vulnerable to Prototype Pollution through incomplete sanitization of input in the query plan execution. An attacker can manipulate the Object.prototype in the gateway by crafting operations with field...
EUVD-2026-12097
Parse Server's GraphQL WebSocket endpoint bypasses security middleware...
Missing Authentication for Critical Function
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the createSubscriptions process. An attacker can execute unauthorized GraphQ...
Parse Server's GraphQL WebSocket endpoint bypasses security middleware
Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the...
GHSA-P2X3-8689-CWPG Parse Server's GraphQL WebSocket endpoint bypasses security middleware
Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the...
CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...
CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...
CVE-2026-32594
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...
CVE-2026-32594
Parse Server vulnerability CVE-2026-32594 affects the GraphQL WebSocket endpoint used for subscriptions, where requests bypass the Express middleware that enforces authentication, introspection control, and query complexity limits. Prior to versions 8.6.40 and 9.6.0-alpha.14, an attacker could co...
CVE-2026-25076
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...
BIT-GITLAB-2026-1069 Uncontrolled Recursion in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...
PT-2026-25374
Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the...
CVE-2026-25076
Technical details about CVE-2026-25076 are not publicly provided in the supplied documents; monitor for updates.
CVE-2026-25076
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...
CVE-2026-25076 Anchore Enterprise GraphQL Reports API SQL injection
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...
CVE-2026-25076 Anchore Enterprise GraphQL Reports API SQL injection
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...
@tinacms/app (>=0.0.0-0b7103c-20251216023146 <=2.3.24), @tinacms/cli (>=0.0.0-0b7103c-20251216023146 <=2.1.5) +4 more potentially affected by CVE-2026-24125 via @tinacms/graphql (>=2.0.0 <=2.1.1)
@tinacms/graphql NPM version =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =3.4.1 Source cves: CVE-2026-24125 Source advisory: SNYK:JS-TINACMSGRAPHQL-15518060...