Lucene search
K

37 matches found

NVD
NVD
added 2026/07/06 9:16 a.m.18 views

CVE-2026-9165

A flaw was found in Red Hat Advanced Cluster Security for Kubernetes RHACS. Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central...

7.7CVSS0.00319EPSS
Exploits0References5
CVE
CVE
added 2026/07/06 8:46 a.m.18 views

CVE-2026-9165

Summary : A flaw in Red Hat Advanced Cluster Security for Kubernetes (RHACS) Central allows unbounded GraphQL query depth on the authenticated GraphQL API, enabling a token-authenticated user to issue deeply nested queries that exhaust resources and cause a denial of service to the management pla...

7.7CVSS5.9AI score0.00319EPSS
Exploits0References5
OSV
OSV
added 2026/06/19 2:50 p.m.21 views

GHSA-CGXM-VR2F-6FJ8 parse-server: Denial of service via exponential-time processing of deeply nested query operators

Impact Parse Server is vulnerable to denial of service. A remote attacker can send a single, small query 1 KB containing deeply nested query condition operators. Parse Server processes the nested structure with exponential time complexity, which blocks the Node.js event loop and makes the server...

8.7CVSS5.9AI score0.00335EPSS
Exploits0References4
NVD
NVD
added 2026/06/04 3:16 p.m.15 views

CVE-2026-47706

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...

5.3CVSS0.00296EPSS
Exploits1References2
OSV
OSV
added 2026/06/04 2:38 p.m.7 views

GHSA-QFWV-87QJ-98XQ Strawberry GraphQL has a Circular Fragment Reference DOS

Summary The QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth function enters an infinite recursion, leading to a RecursionError and crashing the...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/06/04 2:6 p.m.7 views

CVE-2026-47706

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/06/04 2:6 p.m.39 views

CVE-2026-47706 Strawberry GraphQL has a Circular Fragment Reference DOS

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...

5.3CVSS0.00296EPSS
Exploits1References2
CVE
CVE
added 2026/06/04 2:6 p.m.25 views

CVE-2026-47706

The CVE affects Strawberry GraphQL versions 0.71.0–0.315.6, where the QueryDepthLimiter lacks cycle detection in fragment spreads, causing infinite recursion and an application-level DOS (RecursionError) during validation. The issue is fixed in 0.315.7. Remediation: upgrade to 0.315.7 or later. T...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.19 views

PT-2026-46249

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine depth...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/08 3:5 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the CreateHandler process, which lacks resource limits for query depth, complexity, response size, and rate limiting. An attacker can exhaust server CPU, memory, and bandwidth by...

7.1CVSS5.5AI score
Exploits0References2
OSV
OSV
added 2026/03/27 7:14 a.m.1 views

BIT-PARSE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. Th...

8.7CVSS5.8AI score0.00452EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.4 views

CVE-2026-32944

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...

8.7CVSS5.7AI score0.00483EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.2 views

CVE-2026-33508

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

8.2CVSS5.7AI score0.00345EPSS
Exploits0References1
NVD
NVD
added 2026/03/24 7:16 p.m.3 views

CVE-2026-33508

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

8.2CVSS0.00345EPSS
Exploits0References5
OSV
OSV
added 2026/03/24 6:18 p.m.5 views

CVE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server...

8.7CVSS5.8AI score0.00452EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.11 views

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.56 and 9.6.0-alpha.45. These vulnerabilities stemmed from the LiveQuery component no...

8.2CVSS5.8AI score0.00345EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/20 9:48 p.m.7 views

Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

8.2CVSS5.8AI score0.00345EPSS
Exploits0References7Affected Software1
Snyk
Snyk
added 2026/03/20 9:48 p.m.5 views

Uncontrolled Recursion

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

8.2CVSS5.8AI score0.00345EPSS
Exploits0References2
OSV
OSV
added 2026/03/20 9:48 p.m.4 views

GHSA-6QH5-M6G3-XHQ6 Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

8.2CVSS5.8AI score0.00345EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/03/20 8:56 p.m.9 views

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Impact An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. Patches The...

8.7CVSS5.8AI score0.00452EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder