CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

3112 matches found

OSV•added 2026/03/27 12:15 p.m.•2 views

BIT-GITLAB-2026-3857 Cross-Site Request Forgery (CSRF) in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection...

8.8CVSS6.1AI score0.00014EPSS

Exploits0References4

Github Security Blog•added 2026/03/26 10:9 p.m.•7 views

Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery

Impact In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing CORS protocol, th...

5.9AI score

Exploits0References6Affected Software1

Github Security Blog•added 2026/03/26 9:53 p.m.•2 views

Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention

5.9AI score

Exploits0References6Affected Software2

OSV•added 2026/03/26 9:53 p.m.•2 views

GHSA-9Q82-XGWF-VJ6H Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention

6.3CVSS6AI score

Exploits0References6

RedhatCVE•added 2026/03/26 5:0 p.m.•3 views

CVE-2026-3988

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in...

7.5CVSS5.8AI score0.00242EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 5:0 p.m.•3 views

CVE-2026-3857

8.1CVSS6.1AI score0.00014EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:12 p.m.•3 views

CVE-2026-21886

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this...

8.1CVSS5.8AI score0.00164EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:11 p.m.•1 views

CVE-2026-32594

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...

7.3CVSS5.8AI score0.00086EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:8 p.m.•3 views

CVE-2026-24125

Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using...

6.3CVSS5.8AI score0.00093EPSS

Exploits1References1

RedhatCVE•added 2026/03/26 3:3 p.m.•2 views

CVE-2026-30966

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any...

10CVSS5.8AI score0.00064EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:1 p.m.•2 views

CVE-2026-1069

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...

7.5CVSS5.8AI score0.00033EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 2:59 p.m.•1 views

CVE-2026-31800

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API rout...

9.1CVSS5.8AI score0.00106EPSS

Exploits0References1

NCSC•added 2026/03/26 9:48 a.m.•4 views

Vulnerabilities fixed in GitLab

GitLab has fixed vulnerabilities in versions 18.8.7, 18.9.3, and 18.10.1. The vulnerabilities included denial-of-service scenarios that could be triggered by authenticated users via specific Webhook configurations and continuous integration inputs. In addition, there were issues with improper...

8.8CVSS5.8AI score0.00242EPSS

Exploits0References1

EUVD•added 2026/03/25 6:31 p.m.•5 views

EUVD-2026-15937

7.5CVSS5.8AI score0.00242EPSS

Exploits0References4

EUVD•added 2026/03/25 6:31 p.m.•3 views

EUVD-2026-15935

8.1CVSS6.1AI score0.00014EPSS

Exploits0References4

CVE•added 2026/03/25 4:33 p.m.•19 views

CVE-2026-3857

GitLab CSRF protection weakness allowed an unauthenticated user to trigger arbitrary GraphQL mutations on behalf of authenticated users in GitLab CE/EE versions 17.10–before 18.8.7, 18.9–before 18.9.3, and 18.10–before 18.10.1. Patches fixed these issues in the 18.10.1 release (and related adviso...

8.8CVSS6.1AI score0.00014EPSS

Exploits0References3Affected Software1