Description
remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Thu, 16 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported. | |
| Title | remorses/genql code injection | |
| Weaknesses | CWE-116 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: cisa-cg
Published:
Updated: 2026-07-16T19:14:30.532Z
Reserved: 2026-07-16T18:33:57.457Z
Link: CVE-2026-63397
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-116
Improper Encoding or Escaping of Output