3125 matches found
CVE-2020-37044 OpenCTI 3.3.1 - Cross Site Scripting
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting XSS attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For...
CVE-2025-15550
birkir prime = 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query...
OpenCTI cross-site scripting vulnerabilities
OpenCTI is an open-source open network threat intelligence platform. Version 3.3.1 of OpenCTI contains a cross-site scripting vulnerability. This vulnerability stems from a reflective cross-site scripting in the graphql endpoint, which may allow JavaScript code to be executed in the victim’s...
PT-2026-5484
Name of the Vulnerable Software and Affected Versions OpenCTI version 3.3.1 Description OpenCTI is susceptible to a reflected cross-site scripting XSS attack through the /graphql API endpoint. An attacker can inject malicious JavaScript code by sending a specially crafted GET request with a paylo...
CVE-2025-15550
birkir prime = 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query...
CVE-2025-15550
birkir prime = 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query...
CVE-2025-15550
CVE-2025-15550 affects birkir prime
CVE-2025-15550
birkir prime = 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query...
CVE-2025-15550 birkir prime <= 0.4.0.beta.0 - Cross-Site Request Forgery in GraphQL
birkir prime = 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query...
CVE-2025-15550 birkir prime <= 0.4.0.beta.0 - Cross-Site Request Forgery in GraphQL
birkir prime = 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query...
EUVD-2025-206514
birkir prime = 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query...
Prime cross-site request forgeing vulnerability
Prime is a content management system developed by Birkir Gudjonsson. Versions of Prime prior to 0.4.0.beta.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from cross-site request forgery in the GraphQL endpoints, which could allow attackers to trigger...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the order GraphQL query. An attacker can access sensitive information, including personally identifiable information PII, by sending unauthorized queries to the API. Workaround This...
CVE-2026-24136 Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference IDOR vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor...
CVE-2026-24136
CVE-2026-24136 affects Saleor, a commerce platform. An IDOR in the GraphQL order() query allows unauthenticated actors to exfiltrate sensitive information (PII) from orders created before 3.2.0. Affected versions span 3.2.0–3.20.109, 3.21.0-a.0–3.21.44, and 3.22.0-a.0–3.22.28. Remediation: upgrad...
CVE-2026-24136 Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference IDOR vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor...
CVE-2021-47748
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...
CVE-2021-47748
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...
CVE-2021-47748 Hasura GraphQL 1.3.3 - Remote Code Execution
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...
EUVD-2026-3661
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...