22 matches found
CVE-2026-35413
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint...
CVE-2026-35413
Directus CVE-2026-35413 exposes schema structure via the server_specs_graphql resolver on /graphql/system when GRAPHQL_INTROSPECTION is false. Multiple trusted sources (Directus advisories, Red Hat, OSV, Snyk, etc.) confirm that before version 11.16.1, SDL-style schema data could be retrieved by ...
EUVD-2026-10171
Parse Server: GraphQL type introspection bypass via inline fragments when public introspection is disabled...
GHSA-Q5Q9-2RHP-33QW Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Impact When graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. schema introspection is not affected. Patches The check was chang...
CVE-2026-30854
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...
CVE-2026-30854
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...
CVE-2026-30854
Parse Server vulnerability CVE-2026-30854 affects versions 9.3.1-alpha.3 through before 9.5.0-alpha.10 when graphQLPublicIntrospection is disabled. Nested __type queries inside inline fragments (for example ... on Query { __type(name: "User") { name } }) can bypass introspection controls, enablin...
CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...
PT-2026-23874
Name of the Vulnerable Software and Affected Versions Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.10 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains an issue where disabling graphQLPublicIntrospection does not fully prevent...
Metasploit Wrap-Up 02/27/2026
No Prob-ollama This release brings some serious firepower with multiple new exploit modules and critical vulnerability support! The standout additions are the Ollama path traversal RCE CVE-2024-37032, a sophisticated exploit chaining arbitrary file writes into unauthenticated root RCE, and the...
FreeBSD : Gitlab -- vulnerabilities (9d9940e7-071c-11f1-93ca-2cf05da270f3)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 9d9940e7-071c-11f1-93ca-2cf05da270f3 advisory. Gitlab reports: Incomplete Validation issue in Web IDE impacts GitLab CE/EE Denial of Service...
Metasploit Weekly Wrap-Up 07/18/2025
ARM64 Windows Payload This latest metasploit-framework release marks a significant milestone, introducing the inaugural payload specifically designed for Windows ARM64 architecture: windows/aarch64/exec. This addition greatly expands the framework's capabilities, enabling penetration testers and...
CVE-2023-47643
SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...
VulnCheck KEV: CVE-2023-47643
SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the...
Shopify: GraphQL Introspection Enabled on Shopify API Endpoint (Intended Behavior)
Summary: Hi team ! i've found a misconfiguration in your graphql Api on the endpoint in which an attacker is able to run a graphql interospection query to fetch schemas , types , fields , available query operations , after running interospection query on the graphql api endpoint , an attacker is...
SUSE CVE-2024-50312
A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery ...
CVE-2024-50312
A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery ...
Red Hat OpenShift 信息泄露漏洞
Red Hat OpenShift is a Platform-as-a-Service PaaS cloud computing platform from Red Hat, Inc. that supports building, testing, deploying, and running applications. An information disclosure vulnerability exists in Red Hat OpenShift that stems from improper access control to GraphQL introspection...
Authentication flaw
SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...
CVE-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled
SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...