CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Tenable Nessus•added 2025/05/16 12:0 a.m.•6 views

GraphQL Import Failed

GraphQL schema file could not be imported and cannot be used during the scan. No source data...

7.3AI score

RedhatCVE•added 2025/05/07 7:14 p.m.•17 views

CVE-2025-46720

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

4.3CVSS6.7AI score0.00234EPSS

RedHat Linux•added 2025/05/06 8:31 p.m.•5 views

graphql-ruby: Remote code execution when loading a crafted GraphQL schema

A flaw was found in graphql-ruby. In affected versions of graphq-ruby, loading a malicious schema definition in the GraphQL::Schema.fromintrospection or the GraphQL::Schema::Loader.load can cause remote code execution. Any system that loads a schema by JSON from an untrusted source is vulnerable,...

9CVSS6.1AI score0.02865EPSS

Exploits2References13

NVD•added 2025/05/05 7:15 p.m.•18 views

CVE-2025-46720

4.3CVSS0.00234EPSS

Cvelist•added 2025/05/05 6:53 p.m.•19 views

CVE-2025-46720 Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields

3.1CVSS0.00234EPSS

Veracode•added 2025/05/05 2:17 a.m.•9 views

Denial Of Service (DoS)

github.com/mattermost/mattermost-server is vulnerable to Denial Of Service DoS. The vulnerability is due to missing validation of uniqueness and quantity of task actions in the UpdateRunTaskActions GraphQL operation, allowing attackers to overload the server by submitting excessive actions...

7.5CVSS6.5AI score0.00316EPSS

Exploits0References4Affected Software2

Veracode•added 2025/05/02 5:29 a.m.•11 views

Restriction Bypass

@escape.tech/graphql-armor-cost-limit is vulnerable to Restriction bypass. The vulnerability is due to the default enabling of the ignoreIntrospection setting in GraphQL servers, which fails to enforce query cost restrictions when a query or fragment is named schema, allows attackers to bypass co...

7.2AI score

RedhatCVE•added 2025/05/01 12:12 a.m.•29 views

CVE-2025-32354

In Zimbra Collaboration ZCS 9.0 through 10.1, a Cross-Site Request Forgery CSRF vulnerability exists in the GraphQL endpoint /service/extension/graphql of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying...

8.8CVSS7.1AI score0.00268EPSS

OSV•added 2025/04/29 4:15 p.m.•1 views

CVE-2025-32354

8.8CVSS7AI score

NVD•added 2025/04/29 4:15 p.m.•11 views

CVE-2025-32354

8.8CVSS0.00268EPSS

IBM Security Bulletins•added 2025/04/29 2:7 a.m.•15 views

Security Bulletin: IBM FileNet Content Manager GraphQL Cross-site request forgery security vulnerability

Summary IBM FileNet Content Manager in GraphQL, there is a Cross-site request forgery security vulnerability. Vulnerability Details CVEID:CVE-2020-4745 DESCRIPTION: IBM FileNet Content Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and...

6.3AI score

Exploits0Affected Software1

Cvelist•added 2025/04/29 12:0 a.m.•11 views

CVE-2025-32354

0.00268EPSS

Vulnrichment•added 2025/04/29 12:0 a.m.•6 views

CVE-2025-32354

8.7AI score0.00268EPSS

Positive Technologies•added 2025/04/29 12:0 a.m.•4 views

PT-2025-18172 · Zimbra · Zimbra Collaboration

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration ZCS versions 9.0 through 10.1 Description: A Cross-Site Request Forgery CSRF issue exists in the GraphQL endpoint /service/extension/graphql of Zimbra webmail due to a lack of CSRF token validation. This allows attackers ...

8.8CVSS9.2AI score0.00268EPSS

Exploits0References14

CVE•added 2025/04/29 12:0 a.m.•76 views

CVE-2025-32354

CVE-2025-32354 (Zimbra Collaboration) affects ZCS 9.0–10.1. A CSRF flaw in the GraphQL endpoint (/service/extension/graphql) due to missing CSRF token validation allows an authenticated user to trigger unauthorized GraphQL operations (e.g., modify contacts, change settings, access sensitive data)...

8.8CVSS6.9AI score0.00268EPSS

Exploits0References3Affected Software1

vulnersOsv•added 2025/04/28 9:31 a.m.•8 views

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.114.0 <=0.120.0), ai.ancf.lmos:arc-memory-mongo-spring-boot-starter (>=0.114.0 <=0.120.0) +7747 more potentially affected by CVE-2025-22235 via org.springframework.boot:spring-boot (>=3.4.0 <=3.4.4)

org.springframework.boot:spring-boot MAVEN version =3.4.0, =0.114.0, =0.114.0, =0.114.0, =0.114.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.24, =1.0.27, =1.0.0, =1.0.0, =1.0.28 and more Source cves: CVE-2025-22235 Source advisory: OSV:GHSA-RC42-6C7J-7H5R...

7.3CVSS7.2AI score0.00358EPSS

RedhatCVE•added 2025/04/26 6:56 a.m.•10 views

CVE-2025-35965

Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific post...

6.5CVSS6.8AI score0.00316EPSS

vulnersOsv•added 2025/04/25 3:14 p.m.•7 views

@cedarjs/api-server (>=0.0.4 <=9.0.0-canary.1784), @cedarjs/cli (>=0.0.4 <=9.0.0-canary.1784) +65 more potentially affected by unknown CVE via @escape.tech/graphql-armor-cost-limit (>=1.7.0 <=2.4.1)

@escape.tech/graphql-armor-cost-limit NPM version =1.7.0, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.9.1-next.19, =0.0.4, =0.0.4, =0.0.2, =1.0.6, =2.0.6, =2.2.2, =2.19.6 and more Source cves: unknown CVE Source advisory: OSV:GHSA-733V-P3H5-QPQ7...

5.8AI score