CVE-2021-47714

Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pgreadfile PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server...

CVE-2021-47714 Hasura GraphQL 1.3.3 Local File Read via SQL Injection

Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pgreadfile PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server...

CVE-2021-47715

Hasura GraphQL Engine 1.3.3 is exposed to a server-side request forgery via the add_remote_schema endpoint. The underlying issue allows injection of arbitrary remote schema URLs by crafting POST requests to /v1/query, potentially enabling access to internal network resources. Affected component: ...

CVE-2021-47714 Hasura GraphQL 1.3.3 Local File Read via SQL Injection

Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pgreadfile PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server...

CVE-2021-47715 Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection

Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the addremoteschema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL...

CVE-2021-47715 Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection

Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the addremoteschema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL...

CVE-2021-47713

Affected software: Hasura GraphQL Engine, version 1.3.3. Vulnerability: Denial-of-service via crafted GraphQL queries with excessively nested fields, enabling an attacker to use long query strings and multi-threaded requests to exhaust server resources and potentially crash the GraphQL endpoint. ...

CVE-2021-47713 Hasura GraphQL 1.3.3 Denial of Service via Malicious GraphQL Query

Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resource...

CVE-2021-47713 Hasura GraphQL 1.3.3 Denial of Service via Malicious GraphQL Query

Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resource...

PT-2025-52689

Name of the Vulnerable Software and Affected Versions Hasura GraphQL version 1.3.3 Description The software is susceptible to a denial of service condition. Attackers can exploit this by sending specially crafted GraphQL queries containing deeply nested fields. These queries are designed to consu...

Hasura GraphQL Engine 安全漏洞

Hasura GraphQL Engine is a very fast GraphQL server from Hasura Open Source. A security vulnerability exists in Hasura GraphQL Engine version 1.3.3 that stems from a malicious GraphQL query that could lead to a denial of service attack...

PT-2025-52691

Name of the Vulnerable Software and Affected Versions Hasura GraphQL version 1.3.3 Description A server-side request forgery issue exists in Hasura GraphQL. Attackers can inject arbitrary remote schema URLs through the add remote schema endpoint. Exploitation involves sending crafted POST request...

PT-2025-52690

Name of the Vulnerable Software and Affected Versions Hasura GraphQL version 1.3.3 Description Hasura GraphQL version 1.3.3 has a local file read issue. Attackers can access system files through SQL injection in the query endpoint. Exploitation involves the pg read file PostgreSQL function via...

Hasura GraphQL Engine SQL注入漏洞

Hasura GraphQL Engine is a very fast GraphQL server from Hasura open source. A SQL injection vulnerability exists in Hasura GraphQL Engine version 1.3.3, which stems from the fact that SQL injection may result in local file reads...

Hasura GraphQL Engine 代码问题漏洞

Hasura GraphQL Engine is a very fast GraphQL server from Hasura open source. A code issue vulnerability exists in Hasura GraphQL Engine version 1.3.3, which stems from a remote schema URL injection that could lead to server-side request forgery...

EUVD-2025-204304

tinacms is vulnerable to arbitrary code execution...

Arbitrary Code Injection

Overview @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Arbitrary Code Injection via the improper use of gray-matter package. An...

@tinacms/app (>=0.0.0-0b7103c-20251216023146 <=2.3.15), @tinacms/cli (>=0.0.0-0b7103c-20251216023146 <=2.0.3) +4 more potentially affected by CVE-2025-68278 via @tinacms/graphql (>=2.0.0 <=2.0.2)

@tinacms/graphql NPM version =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =3.1.0 Source cves: CVE-2025-68278 Source advisory: SNYK:JS-TINACMSGRAPHQL-14535448...

@bojidar-bg/tina-mdx-editor (>=0.1.0 <=0.1.1), @bojidar-bg/tina-simple-git-provider (>=0.1.0 <=0.1.1) +28 more potentially affected by CVE-2025-68278 via @tinacms/graphql (>=0.0.0-a1ff961-20250623024558 <=2.0.2)

@tinacms/graphql NPM version =0.0.0-a1ff961-20250623024558, =0.1.0, =0.1.0, =0.1.0, =0.10.0, =0.0.0-20230511135047, =0.0.0-20230511135047, =2.5.8, =0.0.4, =0.0.85, =0.0.89, =0.0.26, =0.0.34, =0.0.0-0a2c557-20250220151224, =0.0.0-0a2c557-20250220151224, =2.0.3 and more Source cves: CVE-2025-68278...

CVE-2025-68278 tinacms vulnerable to arbitrary code execution

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...