CVE-2025-23204

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...

CVE-2022-0152

An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API...

CVE-2024-39895

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single...

CVE-2021-41249

GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than [email protected] are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names,...

CVE-2021-22209

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed...

CVE-2022-31173

Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually...

CVE-2024-39323

aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10,...

PT-2026-1715

Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.5 through 18.5.4 GitLab EE versions 18.6 through 18.6.2 GitLab EE versions 18.7 through 18.7.0 Description An authenticated user could modify instance-wide AI feature provider settings due to missing authorization checks ...

GitLab Enterprise Edition（EE）和GitLab Community Edition（CE） 安全漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are both products of GitLab, Inc. GitLab Enterprise Edition is a content management system. GitLab Enterprise Edition is a content management system. A security vulnerability in GitLab Enterprise Edition EE and GitLab Community Edition ...

GitLab Enterprise Edition（EE） 安全漏洞

GitLab Enterprise Edition EE is a content management system from GitLab, Inc. in the United States. A security vulnerability exists in GitLab Enterprise Edition EE versions prior to 18.5.5, prior to 18.6.3, and prior to 18.7.1, which stems from a lack of authorization checking in a GraphQL change...

CVE-2025-1110

An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query...

CVE-2019-12437

In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,...

CVE-2025-68437

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...

CVE-2024-2440

A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL mutation to alter repository permissions while the repository is detached. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13...

PT-2026-1693

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 15.4 through 18.5.4 GitLab CE/EE versions 18.6 through 18.6.2 GitLab CE/EE versions 18.7 through 18.7.0 Description An authenticated user with specific permissions could remove all project runners from unrelated projects ...

Gitlab -- vulnerabilities

Gitlab reports: Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE Cross-site Scripting issue in Web IDE impacts GitLab CE/EE Missing Authorization issue in Duo Workflows API impacts GitLab EE Missing Authorization issue in AI GraphQL mutation impacts...

CVE-2025-61781

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation...

CVE-2025-68437

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...

EUVD-2026-0845

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...

CVE-2025-68437 Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...