aas2openapi (>=0.2.0 <=0.2.4), adelecv (>=0.0.1 <=0.0.2) +103 more potentially affected by CVE-2026-35526 via strawberry-graphql (>=0.103.9 <=0.312.0)

strawberry-graphql PYPI version =0.103.9, =0.2.0, =0.0.1, =0.0.1, =2025.4.0, =2025.4.0, =0.1.1, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2rc0, =0.9.0, =1.1.0 and more Source cves: CVE-2026-35526 Source advisory: SNYK:PYTHON-STRAWBERRYGRAPHQL-15922315...

agent-evaluator (=0.7.8), airo-camera-toolkit (>=2025.4.0 <=2026.5.0) +79 more potentially affected by CVE-2026-35526 via strawberry-graphql (>=0.202.1 <=0.312.0)

strawberry-graphql PYPI version =0.202.1, =2025.4.0, =2025.4.0, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.33, =0.9.0, =25.13.0, =0.41.0, =1.2.0, =0.1.0a1, =0.1.0a10 and more Source cves: CVE-2026-35526 Source advisory: OSV:GHSA-HV3W-M4G2-5X77...

aas2openapi (>=0.2.0 <=0.2.4), adelecv (>=0.0.1 <=0.0.2) +103 more potentially affected by CVE-2026-35523 via strawberry-graphql (>=0.103.9 <=0.312.0)

strawberry-graphql PYPI version =0.103.9, =0.2.0, =0.0.1, =0.0.1, =2025.4.0, =2025.4.0, =0.1.1, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2rc0, =0.9.0, =1.1.0 and more Source cves: CVE-2026-35523 Source advisory: SNYK:PYTHON-STRAWBERRYGRAPHQL-15922312...

strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...

agent-evaluator (=0.7.8), airo-camera-toolkit (>=2025.4.0 <=2026.5.0) +79 more potentially affected by CVE-2026-35523 via strawberry-graphql (>=0.202.1 <=0.312.0)

strawberry-graphql PYPI version =0.202.1, =2025.4.0, =2025.4.0, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.33, =0.9.0, =25.13.0, =0.41.0, =1.2.0, =0.1.0a1, =0.1.0a10 and more Source cves: CVE-2026-35523 Source advisory: OSV:GHSA-VPWC-V33Q-MQ89...

Missing Authentication for Critical Function

Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the onwsconnect process. An attacker can gain unauthorized access to WebSocket subscription endpoints by connecting with the...

GHSA-VPWC-V33Q-MQ89 strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...

BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...

BIT-PARSE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses orig...

PT-2026-30761

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection init handshake has been completed before processing start subscription messages. This allows a remote...

Directus 信息泄露漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.16.1 contained a vulnerability related to information leakage. This vulnerability stemmed from the serverspecs GraphQL parser not...

Directus 安全漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.17.0 contained a security vulnerability. This vulnerability stemmed from GraphQL endpoints not repeatedly calling the data deletion...

GHSA-6Q22-G298-GRJH Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

GHSA-PH52-67FQ-75WJ Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

Allocation of Resources Without Limits or Throttling

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GraphQL resolver process. An attacker can exhaust server resources and cause...

Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

GHSA-WXWM-3FXV-MRVX Directus: GraphQL Schema SDL Disclosure Setting

Summary When GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same...

Directus: GraphQL Schema SDL Disclosure Setting

Summary When GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same...

py-strawberry-graphql -- Multiple vulnerabilities

The Strawberry GraphQL project reports: Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a 'connectioninit' handshake has been completed before processing start...