CVE-2023-26051 Saleor is vulnerable to staff-authenticated error message information disclosure vulnerability via Python exceptions

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated...

Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007

Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thundergqls module which provides a graphql interface. The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing...

CVE-2023-25575 Secured properties in API Platform Core may be accessible within collections

API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the security option of the ApiPlatform\Metadata\ApiProperty attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON...

Security Bulletin: CVE-2022-37734 may affect IBM CICS TX Standard

Summary WebSphere Application Server Liberty is vulnerable to denial of service due to GraphQL Java. This affects IBM WebSphere Liberty used by IBM CICS TX Standard. IBM CICS TX Standard has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2022-37734 DESCRIPTION: GraphQL Java is...

Security Bulletin: CVE-2022-37734 may affect IBM CICS TX Advanced

Summary WebSphere Application Server Liberty is vulnerable to denial of service due to GraphQL Java. This affects IBM WebSphere Liberty used by IBM CICS TX Advanced. IBM CICS TX Advanced has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2022-37734 DESCRIPTION: GraphQL Java is...

File Access Bypass

graphql-mesh/cli and graphql-mesh/http are vulnerable to File Access Bypass. The vulnerability is due to the staticFiles parameter in the configuration file being set to serve, which allows an attacker to access files in the server's file system by relative paths...

@accounter-toolkit/green-invoice-graphql (>=0.0.2 <=0.2.0-alpha-20230313141007-4bdbab6), @accounter-toolkit/hashavshevet-mesh (>=0.0.2 <=0.0.4-alpha-20230313141007-4bdbab6) +10 more potentially affected by CVE-2025-27098 via @graphql-mesh/cli (>=0.78.0 <=0.82.21)

@graphql-mesh/cli NPM version =0.78.0, =0.0.2, =0.0.2, =0.0.2, =0.2.0-alpha.24, =5.1.0-canary.3, =6.0.0-canary.20, =6.0.0-canary.20, =6.0.0-canary.20, =2.2.6, =0.1.147, =0.1.3, =0.1.9, =0.1.10 Source cves: CVE-2025-27098 Source advisory: OSV:GHSA-J2WH-WRV3-4X4G...

A Bootiful Podcast: Avalara's Kumaresan Muthaliar on GraphQL in the heavily regulated, data intensive domain of tax

Hi, Spring fans! In this installment Josh Long @starbuxman talks to Kumaresan Muthaliar, senior technical lead at Avalara, about GraphQL in the heavily regulated, data intensive domain of tax...

A Bootiful Podcast: Avalara's Kumaresan Muthaliar on GraphQL in the heavily regulated, data intensive domain of tax

Hi, Spring fans! In this installment Josh Long @starbuxman talks to Kumaresan Muthaliar, senior technical lead at Avalara, about GraphQL in the heavily regulated, data intensive domain of tax...

PT-2023-36349 · Unknown · @Graphql-Mesh/Http +1

Name of the Vulnerable Software and Affected Versions: @graphql-mesh/cli versions prior to 0.82.21 @graphql-mesh/http versions prior to 0.3.18 Description: A missing check vulnerability in the static file handler allows any client to access files in the server's file system. When staticFiles is s...

3lc (>=2.3.84 <=2.6.4), aiocronjob (>=0.6.0 <=0.7.0) +10 more potentially affected by CVE-2023-25578 via starlite (>=1.39.0 <=1.51.16)

starlite PYPI version =1.39.0, =2.3.84, =0.6.0, =0.4.0, =0.5.1, =1.0.0, =0.1.0, =0.1.3, =1.0.0, =0.1.0, =0.8.1 - strawberry-graphql =0.168.0 Source cves: CVE-2023-25578 Source advisory: OSV:PYSEC-2023-49...

SUSE CVE-2019-18455

An issue was discovered in GitLab Community and Enterprise Edition 11 through 12.4 when building Nested GraphQL queries. It has a large or infinite loop...

CVE-2022-3411

A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

CVE-2022-3411

A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

UBUNTU-CVE-2022-3411

A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2022-3411

A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

CVE-2022-3411

A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

CVE-2022-3411

A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...