{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/graphql/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-40520"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","freepbx","graphql","cve-2026-40520"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreePBX, a widely used open-source PBX (Private Branch Exchange) system, is vulnerable to a command injection flaw within its API module. Specifically, versions 17.0.8 and earlier are affected by CVE-2026-40520. The vulnerability resides in the \u003ccode\u003einitiateGqlAPIProcess()\u003c/code\u003e function, where GraphQL mutation input fields are directly passed to the \u003ccode\u003eshell_exec()\u003c/code\u003e function without proper sanitization or escaping. This allows an authenticated attacker with a valid bearer token to inject and execute arbitrary commands on the underlying host operating system as the web server user. The attack vector involves sending a specially crafted GraphQL \u003ccode\u003emoduleOperations\u003c/code\u003e mutation containing backtick-wrapped commands within the \u003ccode\u003emodule\u003c/code\u003e field. Successful exploitation grants the attacker the ability to compromise the FreePBX server and potentially pivot to other internal systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the FreePBX API using a valid bearer token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GraphQL \u003ccode\u003emoduleOperations\u003c/code\u003e mutation request.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003emodule\u003c/code\u003e field of the mutation, the attacker injects a command using backticks (e.g., \u003ccode\u003e\\\u003c/code\u003eid` `).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious GraphQL request to the \u003ccode\u003e/api\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003einitiateGqlAPIProcess()\u003c/code\u003e function processes the request without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected command is passed to the \u003ccode\u003eshell_exec()\u003c/code\u003e function within \u003ccode\u003eApi.class.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eshell_exec()\u003c/code\u003e function executes the injected command on the FreePBX server as the web server user (e.g., \u003ccode\u003ewww-data\u003c/code\u003e, \u003ccode\u003eapache\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary command execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this command injection vulnerability (CVE-2026-40520) allows an attacker to execute arbitrary commands on the FreePBX server with the privileges of the web server user. This can lead to complete compromise of the PBX system, allowing the attacker to eavesdrop on calls, modify call routing, steal sensitive data, install malware, and potentially pivot to other systems on the network. Given the critical role of PBX systems in business communications, a successful attack can disrupt operations, damage reputation, and result in significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the FreePBX API module to a version greater than 17.0.8 to patch CVE-2026-40520.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FreePBX GraphQL Command Injection\u003c/code\u003e to identify exploitation attempts by detecting backticks in GraphQL mutation requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/api\u003c/code\u003e endpoint containing GraphQL mutations with backtick-wrapped commands to detect command injection attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures for all GraphQL input fields to prevent command injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T13:16:20Z","date_published":"2026-04-21T13:16:20Z","id":"/briefs/2026-04-freepbx-command-injection/","summary":"FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function, allowing authenticated users to execute arbitrary commands via crafted GraphQL mutations.","title":"FreePBX API Module Command Injection Vulnerability (CVE-2026-40520)","url":"https://feed.craftedsignal.io/briefs/2026-04-freepbx-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33756"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","graphql","cve-2026-33756","dos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSaleor, an e-commerce platform, is susceptible to a resource exhaustion vulnerability affecting versions 2.0.0 prior to 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. This vulnerability stems from the platform\u0026rsquo;s support for query batching, where multiple GraphQL operations can be submitted in a single HTTP request as a JSON array. The absence of an upper limit on the number of operations within a single request allows unauthenticated attackers to bypass per-query complexity limits. By sending a single HTTP request containing a massive number of GraphQL operations, an attacker can exhaust server resources, potentially leading to denial of service. The vulnerability is addressed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Defenders must ensure they are running patched versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Saleor instance running a vulnerable version (prior to 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the GraphQL endpoint (typically \u003ccode\u003e/graphql/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request body contains a JSON array representing a batch of GraphQL queries.\u003c/li\u003e\n\u003cli\u003eThe number of GraphQL operations within the array is excessively large, designed to bypass query complexity limits.\u003c/li\u003e\n\u003cli\u003eThe Saleor server processes the HTTP request, attempting to execute all GraphQL operations within the batch.\u003c/li\u003e\n\u003cli\u003eDue to the large number of operations, the server\u0026rsquo;s resources (CPU, memory) become heavily utilized.\u003c/li\u003e\n\u003cli\u003eThe server becomes slow or unresponsive to legitimate user requests, causing a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to maintain the denial-of-service state, impacting legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in resource exhaustion on the Saleor e-commerce platform. This can lead to slow response times, application instability, and ultimately a denial-of-service condition for legitimate users. This vulnerability poses a significant risk to e-commerce businesses relying on Saleor, potentially impacting sales, customer satisfaction, and overall business operations. The number of potential victims is directly proportional to the number of Saleor installations running vulnerable versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Saleor instances to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 or later to patch CVE-2026-33756.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Volume of GraphQL Queries\u003c/code\u003e to identify potential exploitation attempts by monitoring the number of GraphQL queries within a single HTTP request in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally large HTTP POST requests to the \u003ccode\u003e/graphql/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the GraphQL endpoint to restrict the number of requests from a single IP address within a defined timeframe.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T12:00:00Z","date_published":"2026-04-09T12:00:00Z","id":"/briefs/2026-04-saleor-resource-exhaustion/","summary":"Unauthenticated attackers can exploit a resource exhaustion vulnerability (CVE-2026-33756) in Saleor e-commerce platform versions before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 by sending a single HTTP request with a large number of GraphQL operations, bypassing query complexity limits and exhausting server resources.","title":"Saleor GraphQL Batch Query Resource Exhaustion Vulnerability (CVE-2026-33756)","url":"https://feed.craftedsignal.io/briefs/2026-04-saleor-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35401"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-35401","graphql","resource-exhaustion","denial-of-service","saleor"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35401 details a resource exhaustion vulnerability affecting the Saleor e-commerce platform. Present in versions 2.0.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the flaw allows an unauthenticated, remote attacker to exhaust server resources. This is achieved by sending a single API call containing numerous GraphQL mutations or queries, leveraging aliases or chaining techniques. The excessive processing load induced by these malicious requests can lead to a denial-of-service (DoS) condition. Organizations using vulnerable Saleor versions are at risk of service disruption, potentially impacting business operations and revenue. Mitigation involves upgrading to the patched versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Saleor e-commerce platform running a vulnerable version (2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GraphQL query or mutation containing numerous aliased or chained operations. This is done to maximize server-side processing load.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GraphQL request to the Saleor platform\u0026rsquo;s API endpoint, typically \u003ccode\u003e/graphql/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Saleor server attempts to process all the queries/mutations within the single request.\u003c/li\u003e\n\u003cli\u003eThe server resources (CPU, memory, database connections) are rapidly consumed by the excessive processing demand.\u003c/li\u003e\n\u003cli\u003eThe server becomes slow and unresponsive, potentially timing out for legitimate user requests.\u003c/li\u003e\n\u003cli\u003eThe Saleor e-commerce platform experiences a denial-of-service condition, disrupting service for legitimate customers.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process to maintain the denial-of-service state, further impacting business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35401 leads to resource exhaustion on the Saleor e-commerce platform, resulting in a denial-of-service condition. This disruption can impact online sales, customer experience, and brand reputation. The number of affected systems depends on the prevalence of vulnerable Saleor installations. While the exact number of victims is unknown, any e-commerce business using an unpatched version is susceptible to service outages. Prolonged or repeated attacks can lead to significant financial losses and damage to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Saleor e-commerce platforms to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 to patch CVE-2026-35401.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/graphql/\u003c/code\u003e API endpoint to mitigate the impact of excessive requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious GraphQL Volume\u003c/code\u003e to identify potential exploitation attempts based on request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:23Z","date_published":"2026-04-08T19:25:23Z","id":"/briefs/2026-04-saleor-graphql-exhaustion/","summary":"A remote, unauthenticated attacker can cause resource exhaustion in Saleor e-commerce platforms via maliciously crafted GraphQL API requests, leading to denial of service.","title":"Saleor GraphQL Resource Exhaustion Vulnerability (CVE-2026-35401)","url":"https://feed.craftedsignal.io/briefs/2026-04-saleor-graphql-exhaustion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","graphql","tinacms","arbitrary-file-write"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in versions 2.2.1 and earlier of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e, a GraphQL API for TinaCMS. This flaw enables unauthenticated attackers to write and overwrite arbitrary files within the project root directory. The vulnerability stems from insufficient validation of the \u003ccode\u003erelativePath\u003c/code\u003e parameter within GraphQL mutations. By exploiting this weakness, attackers can overwrite critical server configuration files like \u003ccode\u003epackage.json\u003c/code\u003e and \u003ccode\u003etsconfig.json\u003c/code\u003e, inject malicious scripts into the \u003ccode\u003epublic/\u003c/code\u003e directory, and even achieve arbitrary code execution by modifying build scripts or server-side logic files. This vulnerability poses a significant risk to systems utilizing vulnerable versions of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a TinaCMS instance running a vulnerable version of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e (\u0026lt;= 2.2.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GraphQL mutation request targeting the \u003ccode\u003eupdateDocument\u003c/code\u003e mutation.\u003c/li\u003e\n\u003cli\u003eWithin the mutation, the attacker manipulates the \u003ccode\u003erelativePath\u003c/code\u003e parameter to include a path traversal sequence, such as \u003ccode\u003ex\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\package.json\u003c/code\u003e. The backslashes are misinterpreted on non-Windows systems.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003egetValidatedPath\u003c/code\u003e function fails to properly sanitize the malicious path due to the backslash bypass on non-Windows platforms.\u003c/li\u003e\n\u003cli\u003eThe request is processed, and the server attempts to write to the attacker-specified file path.\u003c/li\u003e\n\u003cli\u003eThe file system API resolves the path traversal sequence, leading to a write operation outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a critical file, such as \u003ccode\u003epackage.json\u003c/code\u003e, with malicious content.\u003c/li\u003e\n\u003cli\u003eThe server or build process executes the modified file, resulting in arbitrary code execution or other malicious behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to perform arbitrary file writes, leading to several critical consequences. Attackers can overwrite server configuration files, inject malicious scripts for client-side attacks, and achieve arbitrary code execution by modifying build scripts or server-side logic. The impact ranges from denial of service to complete system compromise. While the exact number of affected systems is unknown, all TinaCMS instances running \u003ccode\u003e@tinacms/graphql\u003c/code\u003e version 2.2.1 or earlier are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@tinacms/graphql\u003c/code\u003e to a patched version (later than 2.2.1) to remediate CVE-2026-33949.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect TinaCMS GraphQL Path Traversal Attempt\u003c/code\u003e to identify attempted exploitation of the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/graphql\u003c/code\u003e endpoint containing suspicious \u003ccode\u003erelativePath\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for file paths within GraphQL mutations, regardless of the underlying operating system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T17:11:02Z","date_published":"2026-03-30T17:11:02Z","id":"/briefs/2026-04-tinacms-path-traversal/","summary":"A path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root by manipulating the relativePath parameter in GraphQL mutations, leading to potential arbitrary code execution.","title":"TinaCMS GraphQL Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tinacms-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","graphql","gitlab","cve-2026-3988"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3988 is a denial-of-service (DoS) vulnerability affecting GitLab CE/EE. The vulnerability resides in the processing of GraphQL requests and stems from improper input validation. An unauthenticated attacker can exploit this flaw by sending specially crafted GraphQL requests, causing the GitLab instance to become unresponsive, effectively denying service to legitimate users. The affected versions include all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1…\u003c/p\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-gitlab-graphql-dos/","summary":"CVE-2026-3988 is a denial of service vulnerability in GitLab CE/EE allowing unauthenticated users to crash instances by sending malformed GraphQL requests, affecting versions 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1.","title":"GitLab GraphQL Denial of Service Vulnerability (CVE-2026-3988)","url":"https://feed.craftedsignal.io/briefs/2026-03-gitlab-graphql-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["gitlab","csrf","cve-2026-3857","graphql"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGitLab has addressed a critical security flaw, identified as CVE-2026-3857, within its Community Edition (CE) and Enterprise Edition (EE). This vulnerability impacts GitLab instances running versions 17.10 up to, but not including, 18.8.7, versions 18.9 up to 18.9.3, and versions 18.10 up to 18.10.1.  The core issue lies in insufficient Cross-Site Request Forgery (CSRF) protection when handling GraphQL mutations. An unauthenticated attacker could exploit this by crafting malicious web pages…\u003c/p\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-gitlab-csrf/","summary":"CVE-2026-3857 describes a vulnerability in GitLab CE/EE versions 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, where an unauthenticated user can execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection, potentially leading to data modification or privilege escalation.","title":"GitLab GraphQL CSRF Vulnerability (CVE-2026-3857)","url":"https://feed.craftedsignal.io/briefs/2026-03-gitlab-csrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Graphql","version":"https://jsonfeed.org/version/1.1"}