Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Fri, 05 Jun 2026 04:25:55 +0000 8d3ef115-8d8f-4b13-8d49-d20387cee5b0 https://vulnerability.circl.lu/sighting/8d3ef115-8d8f-4b13-8d49-d20387cee5b0/export {"uuid": "8d3ef115-8d8f-4b13-8d49-d20387cee5b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-47707", "type": "published-proof-of-concept", "source": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc", "content": "", "creation_timestamp": "2026-05-19T17:02:32.000000Z"} {"uuid": "8d3ef115-8d8f-4b13-8d49-d20387cee5b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-47707", "type": "published-proof-of-concept", "source": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc", "content": "", "creation_timestamp": "2026-05-19T17:02:32.000000Z"} https://vulnerability.circl.lu/sighting/8d3ef115-8d8f-4b13-8d49-d20387cee5b0/export Tue, 19 May 2026 17:02:32 +0000 004bf0d1-f944-46da-8aeb-d5c9b528646d https://vulnerability.circl.lu/sighting/004bf0d1-f944-46da-8aeb-d5c9b528646d/export {"uuid": "004bf0d1-f944-46da-8aeb-d5c9b528646d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47707", "type": "seen", "source": "https://gist.github.com/alon710/010787d34dde83f4031b6f6c155ccffb", "content": "# CVE-2026-47707: CVE-2026-47707: GraphQL Alias Amplification Bypass in Strawberry GraphQL MaxAliasesLimiter\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-04\n> **Full Report:** https://cvereports.com/reports/CVE-2026-47707\n\n## Summary\nA security flaw in strawberry-graphql versions 0.172.0 through 0.315.6 allows unauthenticated attackers to bypass the MaxAliasesLimiter extension. By utilizing GraphQL fragment spreads, clients can trigger high levels of alias amplification, causing uncontrolled backend resource consumption and application-level Denial of Service.\n\n## TL;DR\nThe MaxAliasesLimiter extension in strawberry-graphql fails to account for fragment spreads during pre-execution static analysis. Attackers can bypass alias thresholds and trigger thousands of actual backend executions, leading to denial of service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400 (Uncontrolled Resource Consumption)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 5.3 (Medium)\n- **Exploit Status**: Proof-of-Concept Available\n- **KEV Status**: Not Listed\n- **Primary Impact**: Availability (Application-level Denial of Service)\n\n## Affected Systems\n\n- strawberry-graphql\n- **strawberry-graphql**: >= 0.172.0, < 0.315.7 (Fixed in: `0.315.7`)\n\n## Mitigation\n\n- Upgrade strawberry-graphql to version 0.315.7 or higher.\n- Disable the MaxAliasesLimiter extension in configuration files if immediate patching is not possible.\n- Deploy a Web Application Firewall (WAF) or validation layer to analyze incoming queries for redundant or highly nested fragment distributions.\n\n**Remediation Steps:**\n1. Identify all internal services employing strawberry-graphql in Python dependencies.\n2. Execute pip install --upgrade \"strawberry-graphql>=0.315.7\" or update your pyproject.toml / requirements.txt declarations.\n3. Verify that the GraphQL router initializes the MaxAliasesLimiter with safe max_alias_count configurations.\n4. Run regression testing to confirm that legitimate client operations using fragments continue to work as expected.\n\n## References\n\n- [GHSA-fr49-mhgj-crfc Advisory](https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc)\n- [Strawberry GraphQL Version 0.315.7 Release Notes](https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7)\n- [CVE-2026-47707 CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-47707)\n- [Patch Commit a69221f](https://github.com/strawberry-graphql/strawberry/commit/a69221fb0b86583ceb5755758b294c8319021fd1)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47707) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T15:20:57.000000Z"} {"uuid": "004bf0d1-f944-46da-8aeb-d5c9b528646d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47707", "type": "seen", "source": "https://gist.github.com/alon710/010787d34dde83f4031b6f6c155ccffb", "content": "# CVE-2026-47707: CVE-2026-47707: GraphQL Alias Amplification Bypass in Strawberry GraphQL MaxAliasesLimiter\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-04\n> **Full Report:** https://cvereports.com/reports/CVE-2026-47707\n\n## Summary\nA security flaw in strawberry-graphql versions 0.172.0 through 0.315.6 allows unauthenticated attackers to bypass the MaxAliasesLimiter extension. By utilizing GraphQL fragment spreads, clients can trigger high levels of alias amplification, causing uncontrolled backend resource consumption and application-level Denial of Service.\n\n## TL;DR\nThe MaxAliasesLimiter extension in strawberry-graphql fails to account for fragment spreads during pre-execution static analysis. Attackers can bypass alias thresholds and trigger thousands of actual backend executions, leading to denial of service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400 (Uncontrolled Resource Consumption)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 5.3 (Medium)\n- **Exploit Status**: Proof-of-Concept Available\n- **KEV Status**: Not Listed\n- **Primary Impact**: Availability (Application-level Denial of Service)\n\n## Affected Systems\n\n- strawberry-graphql\n- **strawberry-graphql**: >= 0.172.0, < 0.315.7 (Fixed in: `0.315.7`)\n\n## Mitigation\n\n- Upgrade strawberry-graphql to version 0.315.7 or higher.\n- Disable the MaxAliasesLimiter extension in configuration files if immediate patching is not possible.\n- Deploy a Web Application Firewall (WAF) or validation layer to analyze incoming queries for redundant or highly nested fragment distributions.\n\n**Remediation Steps:**\n1. Identify all internal services employing strawberry-graphql in Python dependencies.\n2. Execute pip install --upgrade \"strawberry-graphql>=0.315.7\" or update your pyproject.toml / requirements.txt declarations.\n3. Verify that the GraphQL router initializes the MaxAliasesLimiter with safe max_alias_count configurations.\n4. Run regression testing to confirm that legitimate client operations using fragments continue to work as expected.\n\n## References\n\n- [GHSA-fr49-mhgj-crfc Advisory](https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc)\n- [Strawberry GraphQL Version 0.315.7 Release Notes](https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7)\n- [CVE-2026-47707 CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-47707)\n- [Patch Commit a69221f](https://github.com/strawberry-graphql/strawberry/commit/a69221fb0b86583ceb5755758b294c8319021fd1)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47707) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T15:20:57.000000Z"} https://vulnerability.circl.lu/sighting/004bf0d1-f944-46da-8aeb-d5c9b528646d/export Thu, 04 Jun 2026 15:20:57 +0000