Lucene search
K

90 matches found

Vulnrichment
Vulnrichment
added 2026/06/04 2:6 p.m.10 views

CVE-2026-47706 Strawberry GraphQL has a Circular Fragment Reference DOS

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/04 2:6 p.m.10 views

EUVD-2026-34269

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/06/04 2:6 p.m.7 views

CVE-2026-47706

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/06/04 2:6 p.m.25 views

CVE-2026-47706

The CVE affects Strawberry GraphQL versions 0.71.0–0.315.6, where the QueryDepthLimiter lacks cycle detection in fragment spreads, causing infinite recursion and an application-level DOS (RecursionError) during validation. The issue is fixed in 0.315.7. Remediation: upgrade to 0.315.7 or later. T...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.9 views

Strawberry GraphQL 安全漏洞

Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions 0.288.4 to 0.315.3 of Strawberry GraphQL contain security vulnerabilities. These vulnerabilities stem from the GraphiQL template writing values from the header editor into the browser URL query...

4.3CVSS5.3AI score0.00218EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.20 views

PT-2026-46250

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...

5.3CVSS5.8AI score0.00417EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.8 views

Strawberry GraphQL 安全漏洞

Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions 0.172.0 to 0.315.6 of Strawberry GraphQL contain security vulnerabilities. These vulnerabilities stem from the MaxAliasesLimiter extension not taking into account the multiplicative amplification...

5.3CVSS5.3AI score0.00417EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.9 views

Strawberry GraphQL 安全漏洞

Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions 0.71.0 to 0.315.6 of Strawberry GraphQL contain security vulnerabilities. These vulnerabilities stem from the QueryDepthLimiter extension’s lack of loop detection in fragment extensions, which cou...

5.3CVSS5.3AI score0.00296EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.15 views

PT-2026-46249

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine depth...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 5:47 p.m.11 views

Malicious code in strawberry-graphql (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8eb433a0339783d1a58993e1611278218492a4349a80801e6c6a2d475278a99c This package is published under the strawberry-graphql name but diverges from the legitimate upstream by declaring a hard runtime dependency on...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/20 5:47 p.m.13 views

MAL-2026-4771 Malicious code in strawberry-graphql (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8eb433a0339783d1a58993e1611278218492a4349a80801e6c6a2d475278a99c This package is published under the strawberry-graphql name but diverges from the legitimate upstream by declaring a hard runtime dependency on...

5.8AI score
Exploits0References1
Circl
Circl
added 2026/05/19 5:2 p.m.11 views

CVE-2026-47707

creationtimestamp| type| source ---|---|--- 2026-05-19 17:02:32+00:00| published-proof-of-concept| https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc 2026-06-04 15:20:57+00:00| seen| https://gist.github.com/alon710/010787d34dde83f4031b6f6c155ccffb...

5.3CVSS5.8AI score0.00417EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/19 3:55 p.m.8 views

Insertion of Sensitive Information Into Sent Data

Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the graphiql template. An attacker can obtain sensitive HTTP header values by enticing a user to enter confidential...

4.3CVSS5.8AI score0.00218EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/19 3:55 p.m.16 views

Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs

Summary Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as Authorization: Bearer , the value could become visible in browser history, copied links, and server/proxy/CDN access logs...

4.3CVSS6.1AI score0.00218EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.16 views

PT-2026-41972

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions 0.288.4 through 0.315.3 Description The bundled GraphiQL template in Strawberry GraphQL writes values from the headers editor into the browser URL query string. This occurs because the strawberry/static/graphiql.htm...

3.1CVSS6AI score0.00218EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2026/04/17 12:0 a.m.8 views

FreeBSD : py-strawberry-graphql -- Multiple vulnerabilities (6a0aa20d-399f-11f1-8626-901b0edee044)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 6a0aa20d-399f-11f1-8626-901b0edee044 advisory. The Strawberry GraphQL project reports: Strawberry up until version 0.312.3 is vulnerable to a...

7.5CVSS5.6AI score0.00424EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/09 7:23 p.m.6 views

CVE-2026-35523

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

7.5CVSS5.9AI score0.00424EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/08 7:34 p.m.6 views

CVE-2026-35526

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

7.5CVSS5.9AI score0.00274EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 5:16 p.m.7 views

CVE-2026-35523

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

7.5CVSS0.00424EPSS
Exploits0References1
OSV
OSV
added 2026/04/07 5:16 p.m.8 views

PYSEC-2026-133

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

7.5CVSS5.7AI score0.00424EPSS
Exploits0References1
Rows per page
Query Builder