PT-2026-30761

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection init handshake has been completed before processing start subscription messages. This allows a remote...

Directus 信息泄露漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.16.1 contained a vulnerability related to information leakage. This vulnerability stemmed from the serverspecs GraphQL parser not...

Directus 安全漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.17.0 contained a security vulnerability. This vulnerability stemmed from GraphQL endpoints not repeatedly calling the data deletion...

GHSA-6Q22-G298-GRJH Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

GHSA-PH52-67FQ-75WJ Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

Allocation of Resources Without Limits or Throttling

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GraphQL resolver process. An attacker can exhaust server resources and cause...

Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

GHSA-WXWM-3FXV-MRVX Directus: GraphQL Schema SDL Disclosure Setting

Summary When GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same...

Directus: GraphQL Schema SDL Disclosure Setting

Summary When GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same...

py-strawberry-graphql -- Multiple vulnerabilities

The Strawberry GraphQL project reports: Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a 'connectioninit' handshake has been completed before processing start...

PT-2026-30330

Name of the Vulnerable Software and Affected Versions Directus affected versions not specified Description When GRAPHQL INTROSPECTION=false is configured, Directus blocks standard GraphQL introspection queries but the /graphql/system endpoint's server specs graphql resolver returns an equivalent...

CVE-2026-34751 Payload has Unvalidated Input in Password Recovery Endpoints

Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue...

CVE-2026-34751

Payload CMS (including @payloadcms/graphql and the core payload) contains a password-recovery flow vulnerability prior to version 3.79.1 that could allow an unauthenticated attacker to act on behalf of a user initiating a password reset. The issue is rated at CVSS v3.1 base score 9.1 (CRITICAL) w...

CVE-2026-33949

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...

CVE-2026-34573

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

@adenta/cms (>=0.0.6 <=1.1.1-0), @anjy7/navbar-cms (=0.0.5) +25 more potentially affected by CVE-2026-34751 via @payloadcms/graphql (>=3.0.0-alpha.0 <=3.79.0)

@payloadcms/graphql NPM version =3.0.0-alpha.0, =0.0.6, =0.1.2, =1.0.2, =0.1.0, =3.0.0, =3.2.0, =0.2.0, =3.0.0-beta.10, =1.0.54, =1.0.1, =0.1.0, =0.1.1 and more Source cves: CVE-2026-34751 Source advisory: OSV:GHSA-HP5W-3HXX-VMWF...

Weak Password Recovery Mechanism for Forgotten Password

Overview Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password in the password recovery flow. An attacker can gain unauthorized access to user accounts by exploiting insufficient input validation of the origin of the password reset request...

@adenta/cms (>=0.0.6 <=1.1.1-0), @anjy7/navbar-cms (=0.0.5) +25 more potentially affected by CVE-2026-34751 via @payloadcms/graphql (>=3.0.0-alpha.0 <=3.79.0)

@payloadcms/graphql NPM version =3.0.0-alpha.0, =0.0.6, =0.1.2, =1.0.2, =0.1.0, =3.0.0, =3.2.0, =0.2.0, =3.0.0-beta.10, =1.0.54, =1.0.1, =0.1.0, =0.1.1 and more Source cves: CVE-2026-34751 Source advisory: SNYK:JS-PAYLOADCMSGRAPHQL-15871107...

CVE-2026-34604 @tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed conten...