3087 matches found
GitLab 安全漏洞
GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD Continuous Integration and Delivery. There were security vulnerabilities in versions prior to GitLab EE...
GitLab 安全漏洞
GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD continuous integration and delivery. There were security vulnerabilities in versions prior to GitLab 18.8.9,...
PT-2026-31347
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an...
PT-2026-31536
Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 13.0 through 18.8.8, 18.9 through 18.9.4, and 18.10 through 18.10.2 Description The software is susceptible to a denial-of-service condition triggered by repeated GraphQL queries from an unauthenticated user...
Gitlab -- vulnerabilities
Gitlab reports: Exposed Method issue in websocket connections impacts GitLab CE/EE Denial of Service issue in Terraform state lock API impacts GitLab CE/EE Denial of Service issue in GraphQL API impacts GitLab CE/EE Denial of Service issue in CSV import impacts GitLab CE/EE Denial of Service issu...
CVE-2026-35441
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...
CVE-2026-35413
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint...
CVE-2026-35523
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...
aas2openapi (>=0.2.0 <=0.2.4), adelecv (>=0.0.1 <=0.0.2) +105 more potentially affected by CVE-2026-35523 via strawberry-graphql (>=0.103.9 <=0.312.0)
strawberry-graphql PYPI version =0.103.9, =0.2.0, =0.0.1, =1.0.0, =0.0.1, =2025.4.0, =2025.4.0, =0.1.1, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2rc0, =2.11.1 and more Source cves: CVE-2026-35523 Source advisory: OSV:PYSEC-2026-133...
PYSEC-2026-133
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...
PYSEC-2026-133
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...
PYSEC-2026-134
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...
aas2openapi (>=0.2.0 <=0.2.4), adelecv (>=0.0.1 <=0.0.2) +105 more potentially affected by CVE-2026-35526 via strawberry-graphql (>=0.103.9 <=0.312.0)
strawberry-graphql PYPI version =0.103.9, =0.2.0, =0.0.1, =1.0.0, =0.0.1, =2025.4.0, =2025.4.0, =0.1.1, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2rc0, =2.11.1 and more Source cves: CVE-2026-35526 Source advisory: OSV:PYSEC-2026-134...
PYSEC-2026-134
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...
CVE-2026-35523 Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...
CVE-2026-35523
CVE-2026-35523 affects Strawberry GraphQL up to version 0.312.3, where the legacy graphql-ws WebSocket subprotocol may bypass authentication on WebSocket subscription endpoints. The root cause is that the graphql-ws handshake (connection_init) is not verified before processing start/subscription ...
CVE-2026-35523 Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...
CVE-2026-35523
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...
CVE-2026-35526
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...
CVE-2026-35526 Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...