3112 matches found
CVE-2026-32594
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...
Malicious code in graphql-request-dom (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 12e85257ce18204d98a8a6181fa40a75d7feb91477b98f6b86ba89223a9f4e51 The package graphql-request-dom was found to contain malicious code. Source: ghsa-malware...
Malicious Package
Overview graphql-request-dom is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
MAL-2026-1444 Malicious code in graphql-request-dom (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 12e85257ce18204d98a8a6181fa40a75d7feb91477b98f6b86ba89223a9f4e51 The package graphql-request-dom was found to contain malicious code. Source: ghsa-malware...
Malicious code in typescript-type-graphql (npm)
The package 'typescript-type-graphql' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...
MAL-2026-1540 Malicious code in typescript-type-graphql (npm)
The package 'typescript-type-graphql' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...
Parse Server 访问控制错误漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were access control vulnerability issues in versions of Parse Server prior to 8.6.40 and 9.6.0-alpha.14. This vulnerability stemmed from the GraphQL...
EUVD-2026-11707
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...
Prototype Pollution
Overview @apollo/gateway is a library exporting utility functions. Affected versions of this package are vulnerable to Prototype Pollution through incomplete sanitization of input in the query plan execution. An attacker can manipulate the Object.prototype in the gateway by crafting operations wi...
Prototype Pollution
Overview @apollo/query-planner is an Apollo Query Planner Affected versions of this package are vulnerable to Prototype Pollution through incomplete sanitization of input in the query plan execution. An attacker can manipulate the Object.prototype in the gateway by crafting operations with field...
Parse Server's GraphQL WebSocket endpoint bypasses security middleware
Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the...
EUVD-2026-12097
Parse Server's GraphQL WebSocket endpoint bypasses security middleware...
Missing Authentication for Critical Function
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the createSubscriptions process. An attacker can execute unauthorized GraphQ...
GHSA-P2X3-8689-CWPG Parse Server's GraphQL WebSocket endpoint bypasses security middleware
Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the...
CVE-2026-32594
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...
CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...
CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...
CVE-2026-32594
Parse Server exposes a GraphQL WebSocket endpoint which, prior to versions 8.6.40 and 9.6.0-alpha.14, did not route requests through the Express authentication/middleware chain. This allowed unauthenticated clients to perform GraphQL operations, access schema via introspection (even if disabled),...
CVE-2026-25076
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...
BIT-GITLAB-2026-1069 Uncontrolled Recursion in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances...