Lenz Weber-Tronic

5 exploits Active since Jan 2024
CVE-2026-23897 WRITEUP HIGH WRITEUP
Apollo Server 2.0.0-3.13.0, 4.2.0-4.12.9, 5.0.0-5.3.9 - Denial of Service via Exotic Character Set Encoding
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
CVSS 7.5
CVE-2024-23841 WRITEUP HIGH WRITEUP
apollo-client-nextjs < 0.7.0 - Cross-Site Scripting via Malicious GraphQL Input
apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later.
CVSS 8.2
CVE-2024-24556 WRITEUP HIGH WRITEUP
urql < 1.1.1 - Cross-Site Scripting via Improper HTML Escaping in Streamed Responses
urql is a GraphQL client that exposes a set of helpers for several frameworks. The `@urql/next` package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns `html` tags and that the web-application is using streamed responses (non-RSC). This vulnerability is due to improper escaping of html-like characters in the response-stream. To fix this vulnerability upgrade to version 1.1.1
CVSS 7.2
CVE-2024-24558 WRITEUP HIGH WRITEUP
@tanstack/react-query-next-experimental 5.0.0-5.17.9 - Cross-Site Scripting
TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. To fix this issue, please update to version 5.18.0 or later.
CVSS 8.2
CVE-2026-23897 WRITEUP HIGH WRITEUP
Apollo Server 2.0.0-3.13.0, 4.2.0-4.12.9, 5.0.0-5.3.9 - Denial of Service via Exotic Character Set Encoding
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
CVSS 7.5