109 matches found
CVE-2026-47706
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...
Allocation of Resources Without Limits or Throttling
Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the MaxAliasesLimiter extension. An attacker can exhaust server resources by crafting GraphQL queries that exploit...
GHSA-FR49-MHGJ-CRFC Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
Summary The MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this...
CVE-2026-47707 Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...
CVE-2026-47707
Technical details about CVE-2026-47707 are not publicly available in the provided documents; monitor vendor advisories and official releases for updates.
EUVD-2026-34271
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...
CVE-2026-47707 Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...
CVE-2026-47706 Strawberry GraphQL has a Circular Fragment Reference DOS
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...
Cross-site Scripting (XSS)
Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of attributes using spread syntax from untrusted data, which includes event handler properties in the HTML output. An attacker can execute...
BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...
CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...
CVE-2026-34573
Parse Server exposes a denial-of-service when the GraphQL query complexity validator is enabled (requestComplexity.graphQLDepth or requestComplexity.graphQLFields). In versions prior to 8.6.68 and 9.7.0-alpha.12, a crafted query using binary fan-out fragment spreads can block the Node.js event lo...
Hydra-worm
Hydra-worm Hydra-Worm is a rogue self-replicating exploit that...
Malicious code in @oku-ui/tabs (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ce22352f26f8cfce834a6ce3362835601a48b73356305181e6d2b90062fcfa8 The package @oku-ui/tabs was found to contain malicious code. Source: google-open-source-security...
Malicious code in @browserbasehq/sdk-functions (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0dcba06b8039c18710f9cd77f877d6f7bcf48e1c0d25d161f404e2a14b689fca The package @browserbasehq/sdk-functions was found to contain malicious code. Source: google-open-source-security...
Malicious code in @posthog/lemon-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bba1e7fb74f376bd3b56d7c910331af7b46fa8c392e697e08f858b837112e061 The package @posthog/lemon-ui was found to contain malicious code. Source: google-open-source-security...
Malicious code in @oku-ui/hover-card (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49011592cdb157147144c2972c03c4ec153b1d0076d2aa6d45dce878247a77fc The package @oku-ui/hover-card was found to contain malicious code. Source: google-open-source-security...
Malicious code in @silgi/ratelimit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 422196a67d61d4d71d26fc505d10b7d141fb54310ecab586ff0320d42f395509 The package @silgi/ratelimit was found to contain malicious code. Source: google-open-source-security...
Malicious code in @voiceflow/commitlint-config (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0318a598c3e523953b57c870305c3d1237a290a253f3d69dd9f24bf6ba079d6e The package @voiceflow/commitlint-config was found to contain malicious code. Source: ghsa-malware...
Malicious code in @voiceflow/encryption (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13e58f7cdcdf3b87f5bbf111e42e13a1151626e495e15be73fc579109e397800 The package @voiceflow/encryption was found to contain malicious code. Source: ghsa-malware...