PT-2026-39147

Name of the Vulnerable Software and Affected Versions absinthe plug versions 1.2.0 through 1.10.1 Description Reflected cross-site scripting is possible via the GraphiQL interface. The js escape/1 function in lib/absinthe/plug/graphiql.ex fails to escape backslashes when processing the query GET...

Security Bulletin: Dynamic XSS Vulnerability in GraphiQL via Malicious Schema Introspection Responses (Pre-v1.4.7) watsonx.data

Summary All versions of GraphiQL before 1.4.7 are vulnerable to a dynamic XSS flaw triggered by malicious schema introspection responses or crafted type names, potentially allowing code injection during autocomplete—especially in custom setups where the schema endpoint can be user-controlled. Thi...

Security Bulletin: IBM Edge Data Collector uses nix-0.26.4.crate, nix-0.29.0.crate, tokio-util-0.6.10.crate, tokio-util-0.7.13.crate which is vulnerable to CVE-2021-41248.

Summary IBM Edge Data Collector uses nix-0.26.4.crate, nix-0.29.0.crate, tokio-util-0.6.10.crate, tokio-util-0.7.13.crate which is vulnerable to CVE-2021-41248. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2021-41248 DESCRIPTION: GraphiQL is the...

EUVD-2021-2411

Malware in sbrugna...

Malicious code in cli-plugin-graphiql (npm)

The package cli-plugin-graphiql was found to contain malicious code...

Malicious code in shopify-graphiql-rails (npm)

The package shopify-graphiql-rails was found to contain malicious code...

MAL-2025-33126 Malicious code in shopify-graphiql-rails (npm)

The package shopify-graphiql-rails was found to contain malicious code...

Malicious code in graphiql-rails-fork (npm)

The package graphiql-rails-fork was found to contain malicious code...

MAL-2025-17111 Malicious code in cli-plugin-graphiql (npm)

The package cli-plugin-graphiql was found to contain malicious code...

MAL-2025-21879 Malicious code in graphiql-rails-fork (npm)

The package graphiql-rails-fork was found to contain malicious code...

CVE-2021-41248

GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the GraphQL Foundation. All versions of graphiql older than [email protected] are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names,...

GraphQL Vulnerabilities and Common Attacks: What You Need to Know

GraphQL is a powerful query language for APIs that has gained popularity in recent years for its flexibility and ability to provide a great developer experience. However, with the rise of GraphQL usage comes the potential for security vulnerabilities and attacks. In this blog post, we will descri...

Malicious code in amplify-graphiql-explorer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d1d3e576fc6b5204dca87f9ac269c183497998d162c90a7dcabf36447fa318ec Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-980 Malicious code in amplify-graphiql-explorer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d1d3e576fc6b5204dca87f9ac269c183497998d162c90a7dcabf36447fa318ec Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Spring for GraphQL 1.0 Release

On behalf of the Spring for GraphQL team and every contributor, it is my pleasure to announce the 1.0 GA release. Its been 10 months since the project was announced and under 2 years since the first commit, unremarkably called "first commit". The project began with the modest goal to replace the...

GraphQL Cop - Security Auditor Utility For GraphQL APIs

GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. Requirements Python3 Requests Library Detections Alias Overloading DoS Batch Queries DoS GET based Queries CSRF GraphQL Tracing / Debug Modes Info Leak Field Duplication DoS Field Suggestions Info Leak Graphi...

GHSA-X4R7-M2Q9-69C8 GraphiQL introspection schema template injection attack

Impact - 2. Scope - 3. Patches - 3.1 CDN bundle implementations may be automatically patched - 4. Workarounds for Older Versions - 5. How to Re-create the Exploit - 6. Credit - 7. References - 8. For more information This is a security advisory for an XSS vulnerability in graphiql. A similar...

GraphiQL introspection schema template injection attack

Impact - 2. Scope - 3. Patches - 3.1 CDN bundle implementations may be automatically patched - 4. Workarounds for Older Versions - 5. How to Re-create the Exploit - 6. Credit - 7. References - 8. For more information This is a security advisory for an XSS vulnerability in graphiql. A similar...

@abtnode/cli (>=1.8.68 <=1.8.69-beta-e0666d0d), @abtnode/webapp (>=1.8.68 <=1.8.69-beta-e0666d0d) +73 more potentially affected by CVE-2021-41248 +1 more via graphiql (>=0.5.0 <=1.4.6)

graphiql NPM version =0.5.0, =1.8.68, =1.8.68, =2.1.58, =0.1.6, =0.0.0, =0.0.0-nightly-20240830022837, =0.0.0-nightly-20231117021546, =0.0.0-nightly-2020972106, =0.1.1-alpha.19, =0.0.0-nightly-2020972106, =1.7.1, =1.8.68, =1.0.0, =1.0.0-beta.1, =4.1.9 and more Source cves: CVE-2021-41248,...

CVE-2021-41248

GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the GraphQL Foundation. All versions of graphiql older than [email protected] are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names,...