Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-63397— remorses/genql code injection

CVSS 6.4 · Medium EPSS 0.25% · P17

Affected Version Matrix 2

VendorProductVersion RangeStatus
remorsesgenql< 6.3.4affected
6.3.4unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-63397

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
remorses/genql code injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对输出编码和转义不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Tommy D. Rossi Genql 输出处理不当漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Tommy D. Rossi Genql是Tommy D. Rossi个人开发者的一个可根据GraphQL架构生成类型安全SDK和查询构建器的代码生成工具。 Tommy D. Rossi Genql 6.3.4之前版本存在输出处理不当漏洞,该漏洞源于输出处理不当,可能导致经过身份验证的攻击者控制传递到genql的GraphQL模式,注入任意JavaScript或TypeScript,恶意代码被注入到生成的schema.ts文件中,并在genql客户端打包导入时执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
remorsesgenql 0 ~ 6.3.4 -

II. Public POCs for CVE-2026-63397

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-63397

登录查看更多情报信息。

Vendor Advisories for CVE-2026-63397 (1)

Other References for CVE-2026-63397 (2)

IV. Related Vulnerabilities

V. Comments for CVE-2026-63397

No comments yet


Leave a comment