3087 matches found
GHSA-2238-XC5R-V9HJ @tinacms/graphql has a Path Traversal issue
Description TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join without validating that the resolved path...
CVE-2026-24125
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using...
CVE-2026-24125 Path Traversal in @tinacms/graphql
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using...
CVE-2026-24125
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using...
CVE-2026-24125
Summary: TinaCMS (headless CMS) before 2.1.2 allows creating, updating, and deleting content via GraphQL mutations using relative file paths. Under certain conditions, path.join() can combine the path with the collection path without validating the resolved path stays within the collection root, ...
CVE-2026-24125 Path Traversal in @tinacms/graphql
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using...
CVE-2026-24125 Path Traversal in @tinacms/graphql
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using...
BIT-PARSE-2026-31800 Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API routes withou...
BIT-PARSE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limits in th...
PT-2026-25077
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...
Graphql-upload-minimal has a prototype pollution vulnerability.
Overview Version 1.6.1 of the Flash Payments package graphql-upload-minimal is vulnerable to prototype pollution. This vulnerability, located in the processRequest function, allows an attacker to inject special property names into the operations.variables object and pollute global object...
@24hr/ettapi (>=0.0.1 <=0.2.5), @dzangolab/fastify-s3 (>=0.48.0 <=0.87.0) +1 more potentially affected by CVE-2025-65587 via graphql-upload-minimal (>=1.5.3 <=1.6.1)
graphql-upload-minimal NPM version =1.5.3, =0.0.1, =0.48.0, =0.88.0, =0.93.4 Source cves: CVE-2025-65587 Source advisory: SNYK:JS-GRAPHQLUPLOADMINIMAL-15682460...
Prototype Pollution
Overview graphql-upload-minimal is a Minimalistic and developer friendly middleware and an Upload scalar to add support for GraphQL multipart requests file uploads via queries and mutations to various Node.js GraphQL servers. Affected versions of this package are vulnerable to Prototype Pollution...
EUVD-2026-11178
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...
CVE-2026-1069
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...
CVE-2026-1069 Uncontrolled Recursion in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...
CVE-2026-1069 Uncontrolled Recursion in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...
CVE-2026-1069
GitLab CE/EE versions 18.9 before 18.9.2 are affected by an unauthenticated denial-of-service via specially crafted GraphQL requests that trigger uncontrolled recursion under certain conditions. The issue has been remediated in GitLab 18.9.2; patch/update to 18.9.2 or newer. Attacker access requi...
CVE-2026-1069
Removed by vendor...
CVE-2026-1069 Uncontrolled Recursion in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...