3202 matches found
WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. id: CVE-2019-9880 info: name: WPEngine WPGraphQL 0.2.3 -...
Stash < 0.26.0 - SQL Injection
Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter. id: CVE-2024-32231 info: name: Stash Stash" tags: cve,cve2024,stash,sqli,vuln http: - raw: - | POST /graphql HTTP/1.1 Host: Hostname Content-type: application/json...
SuiteCRM Unauthenticated Graphql Introspection
Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. id: CVE-2023-47643 info: name: SuiteCRM Unauthenticated Graphql Introspection author: isacaya severity: medium description: | Graphql Introspection is enabled without...
Gitlab CE/EE 13.4 - 13.6.2 - Information Disclosure
GitLab CE and EE 13.4 through 13.6.2 is susceptible to Information disclosure via GraphQL. User email is visible. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2020-26413 info:...
SkyWalking SQLI
When using H2/MySQL/TiDB as Apache SkyWalking storage and a metadata query through GraphQL protocol, there is a SQL injection vulnerability which allows access to unexpected data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQ...
Craft CMS <=v3.7.31 - SQL Injection
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. id: CVE-2024-37843 info: name: Craft CMS =v3.7.31 - SQL Injection author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Craft CMS up to v3.7.31 was discovered to conta...
CVE-2026-46515
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERMREAD access was sufficient to call fmlistmanagers, fmlistpinsets, fmshowcontext, fmgetmcpconfig, fmbackupstatus, fmwhoscalling, fmrunsavedquery, and fmdiagnosetrunk, exposing AMI manager secrets, outbound dial PIN...
CVE-2026-63397
CVE-2026-63397 : The NVD/CVE entries describe a vulnerability in remorses/genql prior to version 6.3.4 where an authenticated attacker who can control the GraphQL schema passed to genql can inject arbitrary JavaScript or TypeScript. The injected code is written into the generated schema.ts file a...
remorses/genql code injection
RISK EVALUATION remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is...
CVE-2026-46515
CVE-2026-46515 (Frogman) affects Frogman’s headless PBX control via MCP and HTTP API. Before version 1.6.3, a PERM_READ privilege was sufficient to call multiple endpoints (fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query...
GitLab GraphQL API User Enumeration
An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses. id: CVE-2021-4191 info: name: GitLab GraphQL API User Enumeration author: zsusac severity: medium description: An unauthenticated remote attacker can leverage thi...
K000162177: Spring Framework vulnerability CVE-2026-41699
Security Advisory Description Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated Connection field and...
ROOT-APP-PYPI-CVE-2026-35523 CVE-2026-35523 in rootio-strawberry-graphql - Patched by Root
Root has patched CVE-2026-35523 in the rootio-strawberry-graphql package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2026-35526 CVE-2026-35526 in rootio-strawberry-graphql - Patched by Root
Root has patched CVE-2026-35526 in the rootio-strawberry-graphql package for Root:PyPI. Multiple fixed versions available...
CVE-2026-59721
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILERSMTPURL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into...
CVE-2026-6352
A flaw was found in GitLab Enterprise Edition EE. An authenticated user with auditor-level access could modify compliance violation records. This was possible due to improper authorization on certain GraphQL operations, allowing them to bypass intended access controls...
Linux Distros Unpatched Vulnerability : CVE-2026-6352
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain...
GitLab 18.2 < 18.11.7 / 19.0 < 19.0.4 / 19.1 < 19.1.2 (CVE-2026-6352)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticate...
CVE-2026-6352
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper...
CVE-2026-35211
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated user with the KNOWLEDGE capability to pass user-supplied...