Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

3112 matches found

NVD
NVDadded 2026/02/25 12:16 p.m.6 views

CVE-2026-3118

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub Backstage. The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This...

6.5CVSS0.00022EPSS
Exploits0References4
Cvelist
Cvelistadded 2026/02/25 11:25 a.m.29 views

CVE-2026-3118 Rhdh: graphql injection leading to platform-wide denial of service (dos) in rh developer hub orchestrator plugin

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub Backstage. The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This...

6.5CVSS0.00022EPSS
Exploits0References4
CVE
CVEadded 2026/02/25 11:25 a.m.8 views

CVE-2026-3118

The CVE covers CVE-2026-3118 affecting the Orchestrator Plugin in Red Hat Developer Hub (Backstage). The root cause is insufficient input validation in GraphQL query handling, allowing an authenticated user to inject crafted input that disrupts backend query processing and triggers a platform-wid...

6.5CVSS5.5AI score0.00022EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichmentadded 2026/02/25 11:25 a.m.6 views

CVE-2026-3118 Rhdh: graphql injection leading to platform-wide denial of service (dos) in rh developer hub orchestrator plugin

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub Backstage. The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This...

6.5CVSS5.4AI score0.00022EPSS
Exploits0References4
RedhatCVE
RedhatCVEadded 2026/02/25 11:25 a.m.3 views

CVE-2026-3118

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub Backstage. The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This...

6.5CVSS5.5AI score0.00022EPSS
Exploits0References3
RedhatCVE
RedhatCVEadded 2026/02/25 4:6 a.m.12 views

CVE-2026-27129

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

7.1CVSS5.4AI score0.00016EPSS
Exploits2References1
RedhatCVE
RedhatCVEadded 2026/02/25 4:6 a.m.11 views

CVE-2026-27127

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebindi...

7CVSS5.5AI score0.00016EPSS
Exploits2References1
CNNVD
CNNVDadded 2026/02/25 12:0 a.m.3 views

Red Hat Developer Hub SQL注入漏洞

Red Hat Developer Hub is an enterprise-level internal developer platform developed by Red Hat Inc. The platform has a SQL injection vulnerability, which stems from insufficient input validation in GraphQL query processing. This vulnerability may allow authenticated users to inject malicious input...

6.5CVSS5.8AI score0.00022EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/02/25 12:0 a.m.5 views

PT-2026-21899

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub Backstage. The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This...

6.5CVSS5.5AI score0.00022EPSS
Exploits0References3
OSV
OSVadded 2026/02/24 3:51 p.m.4 views

GHSA-V2GC-RM6G-WRW9 Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

The SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection...

7CVSS6.2AI score0.00011EPSS
Exploits1References5
Snyk
Snykadded 2026/02/24 6:19 a.m.4 views

Server-side Request Forgery (SSRF)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the gethostbyname function used during GraphQL Asset mutation processing. An attacker can access internal cloud metadata endpoints by supplying hostnames...

7.1CVSS5.5AI score0.00016EPSS
Exploits2References2
NVD
NVDadded 2026/02/24 3:16 a.m.5 views

CVE-2026-27129

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

7.1CVSS0.00011EPSS
Exploits1References3
NVD
NVDadded 2026/02/24 3:16 a.m.3 views

CVE-2026-27127

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebindi...

7CVSS0.00008EPSS
Exploits1References3
EUVD
EUVDadded 2026/02/24 2:45 a.m.4 views

EUVD-2026-7400

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

7.1CVSS5.3AI score0.00016EPSS
Exploits2References3
CVE
CVEadded 2026/02/24 2:45 a.m.25 views

CVE-2026-27129

CVE-2026-27129 affects Craft CMS, where the SSRF protection in the GraphQL Asset mutation (versions 4.5.0-RC1–4.16.18 and 5.0.0-RC1–5.8.22) is bypassed due to using gethostbyname(), which only resolves IPv4. If a host has only IPv6 (AAAA) records, the function returns the hostname, causing blockl...

7.1CVSS5.2AI score0.00011EPSS
Exploits1References3Affected Software1
OSV
OSVadded 2026/02/24 2:45 a.m.3 views

CVE-2026-27129 Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

7.1CVSS5.5AI score0.00011EPSS
Exploits1References5
Vulnrichment
Vulnrichmentadded 2026/02/24 2:45 a.m.2 views

CVE-2026-27129 Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

7.1CVSS5.9AI score0.00011EPSS
Exploits1References3
ATTACKERKB
ATTACKERKBadded 2026/02/24 2:45 a.m.5 views

CVE-2026-27129

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

7.1CVSS5.3AI score0.00016EPSS
Exploits2References4Affected Software1
CVE
CVEadded 2026/02/24 2:39 a.m.9 views

CVE-2026-27127

CVE-2026-27127 affects Craft CMS (versions 4.5.0-RC1–4.16.18 and 5.0.0-RC1–5.8.22). It exploits a TOCTOU DNS rebinding flaw in the GraphQL Asset mutation where DNS resolution occurs separately from the HTTP request, bypassing prior fixes for CVE-2025-68437 and allowing access to blocked IPs. Expl...

7CVSS5.3AI score0.00008EPSS
Exploits1References3Affected Software1
Cvelist
Cvelistadded 2026/02/24 2:39 a.m.20 views

CVE-2026-27127 Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebindi...

7CVSS0.00008EPSS
Exploits1References3
Rows per page
Query Builder