cbcvebase.

Spring For Graphql vulnerabilities

4 known vulnerabilities affecting spring/spring_for_graphql.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-41699P2CRITICALCVSS 9.8≥ 2.0.0, < 2.0.3.1≥ 1.4.0, < 1.4.5.1+1 more2026-06-11
CVE-2026-41699 [CRITICAL] CWE-502 CVE-2026-41699: Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated G Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserializa
nvd
CVE-2026-41856P3HIGHCVSS 7.5≥ 2.0.0, < 2.0.3.1≥ 1.4.0, < 1.4.5.1+2 more2026-06-11
CVE-2026-41856 [HIGH] CWE-284 CVE-2026-41856: The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly re The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.
nvd
CVE-2026-41700P3HIGHCVSS 8.1≥ 2.0.0, < 2.0.3.1≥ 1.4.0, < 1.4.5.1+2 more2026-06-11
CVE-2026-41700 [HIGH] CWE-346 CVE-2026-41700: Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Si Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3;
nvd
CVE-2023-34047P4MEDIUMCVSS 4.3≥ 1.1.0, < 1.1.6≥ 1.2.0, < 1.2.32023-09-20
CVE-2023-34047 [MEDIUM] CVE-2023-34047: A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be expose A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
nvd
Spring For Graphql vulnerabilities | cvebase