| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40324 | Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents | ChilliCream | graphql-platform | Critical | 9.1 | 2026-04-17 23:05:26 | Deep Dive |
| CVE-2026-40476 | graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation | webonyx | graphql-php | - | - | 2026-04-17 21:43:00 | Deep Dive |
| CVE-2026-35523 | Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol | strawberry-graphql | strawberry | High | 7.5 | 2026-04-07 15:58:18 | Deep Dive |
| CVE-2026-35526 | Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions | strawberry-graphql | strawberry | High | 7.5 | 2026-04-07 15:23:37 | Deep Dive |
| CVE-2026-33290 | WPGraphQL Repo's updateComment allows low-privileged authenticated users to change comment moderation status (comment_approved) without moderate_comments permission | wp-graphql | wp-graphql | Medium | 4.3 | 2026-03-23 23:58:57 | Deep Dive |
| CVE-2026-24125 | Path Traversal in @tinacms/graphql | @tinacms | graphql | Medium | 6.3 | 2026-03-12 16:31:57 | Deep Dive |
| CVE-2026-27938 | WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow | wp-graphql | wp-graphql | High | 7.7 | 2026-02-26 01:10:27 | Deep Dive |
| CVE-2021-47748 | Hasura GraphQL 1.3.3 - Remote Code Execution | Hasura | GraphQL | Critical | 9.8 | 2026-01-21 17:27:32 | Deep Dive |
| CVE-2026-23735 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in graphql-modules | graphql-hive | graphql-modules | 高危 | - | 2026-01-16 20:04:20 | Deep Dive |
| CVE-2021-47715 | Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection | Hasura | Hasura GraphQL | Medium | 5.3 | 2025-12-22 21:35:26 | Deep Dive |
| CVE-2021-47714 | Hasura GraphQL 1.3.3 Local File Read via SQL Injection | Hasura | Hasura GraphQL | Medium | 5.5 | 2025-12-22 21:35:25 | Deep Dive |
| CVE-2021-47713 | Hasura GraphQL 1.3.3 Denial of Service via Malicious GraphQL Query | Hasura | Hasura GraphQL | High | 7.5 | 2025-12-22 21:35:25 | Deep Dive |
| CVE-2025-27407 | Remote code execution when loading a crafted GraphQL schema | rmosolgo | graphql-ruby | Critical | 9.0 | 2025-03-12 18:15:58 | Deep Dive |
| CVE-2025-27097 | Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation | ardatan | graphql-mesh | 中危 | - | 2025-02-20 20:15:54 | Deep Dive |
| CVE-2025-27098 | Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler in graphql-mesh | ardatan | graphql-mesh | Medium | 5.8 | 2025-02-20 20:13:01 | Deep Dive |
| CVE-2025-22151 | Strawberry GraphQL has a type resolution vulnerability | strawberry-graphql | strawberry | Low | 3.7 | 2025-01-09 18:51:18 | Deep Dive |
| CVE-2024-54147 | Altair GraphQL Client's desktop app does not validate HTTPS certificates | altair-graphql | altair | Medium | 6.8 | 2024-12-09 18:55:58 | Deep Dive |
| CVE-2024-47173 | Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups | aimeos | ai-admin-graphql | Medium | 5.5 | 2024-10-24 18:54:12 | Deep Dive |
| CVE-2024-47614 | async-graphql vulnerable to Directive Overload | async-graphql | async-graphql | High | 7.5 | 2024-10-03 14:29:59 | Deep Dive |
| CVE-2024-47082 | Strawberry GraphQL Cross-Site Request Forgery (CSRF) vulnerability | strawberry-graphql | strawberry | Medium | 4.6 | 2024-09-25 17:48:24 | Deep Dive |