26 matches found
CVE-2026-42793
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules ca...
Malicious Package
Overview json-to-simple-graphql-schema is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
CVE-2026-42793 Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules ca...
PT-2026-39146
Name of the Vulnerable Software and Affected Versions absinthe versions 1.5.0 through 1.10.1 Description An unauthenticated denial of service can occur via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in the SDL language...
Malicious code in graphql-chai-schema-elara (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8815d1a4d4f17193b365dff9a9095f12e31e182c8b4d9189ceeeb9f15874d46 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-37140
Malicious code in epic-graphql-schema npm...
Malicious code in epic-graphql-schema (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cd084bb1d953fdf618916ebe2971c48ec09222cefe2ffde4698ef07d373707f The package epic-graphql-schema was found to contain malicious code...
MAL-2025-49153 Malicious code in epic-graphql-schema (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cd084bb1d953fdf618916ebe2971c48ec09222cefe2ffde4698ef07d373707f The package epic-graphql-schema was found to contain malicious code...
GraphQL Import Success
GraphQL schema file was successfully imported and can be used during the scan. No source data...
CVE-2025-46720
Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...
CVE-2025-46720 Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields
Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...
graphql-ruby: Remote code execution when loading a crafted GraphQL schema
A flaw was found in graphql-ruby. In affected versions of graphq-ruby, loading a malicious schema definition in the GraphQL::Schema.fromintrospection or the GraphQL::Schema::Loader.load can cause remote code execution. Any system that loads a schema by JSON from an untrusted source is vulnerable,...
GHSA-Q92J-GRW3-H492 graphql allows remote code execution when loading a crafted GraphQL schema
Summary Loading a malicious schema definition in GraphQL::Schema.fromintrospection or GraphQL::Schema::Loader.load can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas...
graphql allows remote code execution when loading a crafted GraphQL schema
Summary Loading a malicious schema definition in GraphQL::Schema.fromintrospection or GraphQL::Schema::Loader.load can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas...
graphql allows remote code execution when loading a crafted GraphQL schema
Loading a malicious schema definition in GraphQL::Schema.fromintrospection or GraphQL::Schema::Loader.load can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via...
PT-2024-40583 · Graphql · Graphql
Name of the Vulnerable Software and Affected Versions: graphql affected versions not specified Description: The issue is related to a security exception in the graphql schema. Specifically, the problem occurs in the simplePrint function of GraphQLTypeUtil. This function is called multiple times,...
Template Injection
graphql-playground is vulnerable to template injection. An attacker is able to set malicious graphql schema URL dynamically via a vulnerable schema of custom graphiql implementation of graphiql's fetcher...
Information Disclosure
apollo-server-hapi is vulnerable to information leakage. Lack of validation rules enforcement during the subscription server creation with NoInstrospection rule for websockets exposes GraphQL schema types, their relations, human-readable names and many More information on the references...
Information Leakage
apollo-server-lambda is vulnerable to information leakage. Lack of validation rules enforcement during the subscription server creation with NoInstrospection rule for websockets exposes GraphQL schema types, their relations, human-readable names and many More information on the references...
Information Exposure
Overview Versions of apollo-server-lambda prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relatio...