CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 9 hours ago•2 views

GHSA-QFWV-87QJ-98XQ Strawberry GraphQL has a Circular Fragment Reference DOS

Summary The QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth function enters an infinite recursion, leading to a RecursionError and crashing the...

ATTACKERKB•added 9 hours ago•3 views

Exploits0References3

CVE-2026-47706

Exploits0References3Affected Software1

Cvelist•added 9 hours ago•5 views

CVE-2026-47706 Strawberry GraphQL has a Circular Fragment Reference DOS

5.3CVSS

CVE•added 9 hours ago•6 views

CVE-2026-47706

The CVE affects Strawberry GraphQL versions 0.71.0–0.315.6, where the QueryDepthLimiter lacks cycle detection in fragment spreads, causing infinite recursion and an application-level DOS (RecursionError) during validation. The issue is fixed in 0.315.7. Remediation: upgrade to 0.315.7 or later. T...

Positive Technologies•added 23 hours ago•6 views

PT-2026-46249

Snyk•added 2026/04/08 3:5 p.m.•2 views

Exploits0References3

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the CreateHandler process, which lacks resource limits for query depth, complexity, response size, and rate limiting. An attacker can exhaust server CPU, memory, and bandwidth by...

7.1CVSS5.5AI score

OSV•added 2026/03/27 7:14 a.m.•0 views

BIT-PARSE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. Th...

8.7CVSS5.8AI score0.00021EPSS

Exploits0References6

RedhatCVE•added 2026/03/26 3:1 p.m.•0 views

CVE-2026-32944

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...

8.7CVSS5.7AI score0.0002EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:1 p.m.•0 views

CVE-2026-33508

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

8.2CVSS5.7AI score0.00065EPSS

Exploits0References1

NVD•added 2026/03/24 7:16 p.m.•0 views

CVE-2026-33508

8.2CVSS0.00065EPSS

Exploits0References5

OSV•added 2026/03/24 6:18 p.m.•1 views

CVE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server...

8.7CVSS5.8AI score0.00021EPSS

Exploits0References7

CNNVD•added 2026/03/24 12:0 a.m.•3 views

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.56 and 9.6.0-alpha.45. These vulnerabilities stemmed from the LiveQuery component no...

Github Security Blog•added 2026/03/20 9:48 p.m.•3 views

Exploits0References5

Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

Exploits0References7Affected Software1

Snyk•added 2026/03/20 9:48 p.m.•0 views

Uncontrolled Recursion

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

OSV•added 2026/03/20 9:48 p.m.•2 views

GHSA-6QH5-M6G3-XHQ6 Parse Server LiveQuery subscription query depth bypass

Github Security Blog•added 2026/03/20 8:56 p.m.•5 views

Exploits0References7

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Impact An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. Patches The...

8.7CVSS5.8AI score0.00021EPSS

Exploits0References7Affected Software1

OSV•added 2026/03/20 11:37 a.m.•3 views

BIT-PARSE-2026-32944 Parse Server crash via deeply nested query condition operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server an...

8.7CVSS5.7AI score0.0002EPSS

Exploits0References4

Positive Technologies•added 2026/03/20 12:0 a.m.•1 views

PT-2026-26791

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.56 Parse Server versions prior to 9.6.0-alpha.45 Description Parse Server’s LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...