Skip to main content

genql EUVDEUVD-2026-45031

| CVE-2026-63397 HIGH
Improper Encoding or Escaping of Output (CWE-116)
2026-07-16 cisa-cg GHSA-w757-xvvv-vgfw
7.1
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

AC:H and UI:R because it requires an untrusted schema plus a downstream bundle/import step; PR:L reflects an authenticated schema-editing position; full C/I/A High from code execution.

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cisa-cg).

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 16, 2026 - 20:16 vuln.today
Analysis Generated
Jul 16, 2026 - 20:16 vuln.today
CVE Published
Jul 16, 2026 - 19:14 cve.org
HIGH 7.1

DescriptionCVE.org

remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported.

AnalysisAI

Code injection in remorses/genql (the @genql/cli TypeScript GraphQL client generator) before 6.3.4 lets an actor who controls the GraphQL schema fed to genql smuggle arbitrary TypeScript/JavaScript into the generated schema.ts file, which then executes when a downstream consumer bundles and imports the client. The flaw stems from GraphQL type/field descriptions containing a */ sequence that breaks out of the generated JSDoc comment block. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of untrusted GraphQL schema
Delivery
Inject `*/` JSDoc breakout in field description
Exploit
Victim runs genql generate()
Execution
Payload written into schema.ts
Persist
Consumer bundles and imports client
Impact
Injected code executes in build/runtime

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control the GraphQL schema (specifically a type or field description) that is passed to genql's generate() function - for example a compromised or typosquatted GraphQL endpoint, or a multi-tenant platform where users can edit type/field descriptions - and the payload must contain a `*/` sequence to break out of the generated JSDoc comment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H, base 7.1) captures the key tension: the impact triad is fully High (effective code execution), but exploitation is gated by real prerequisites - attack requirements are present (AT:P), the attacker needs a privileged/controlling position over the schema (PR:H), and active user interaction is required (UI:A), meaning a developer must actually run generation and then bundle/import the output. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a multi-tenant platform where users can edit GraphQL type or field descriptions, an attacker sets a description containing `*/` followed by malicious TypeScript. When the platform's developer or CI runs genql's generate() against that schema and bundles the resulting client, the injected statements execute in the build/runtime process. …
Remediation Vendor-released patch: upgrade @genql/cli to 6.3.4 or later, which escapes any `*/` in schema-derived text to `*\/` before interpolating it into JSDoc blocks; obtain it from https://github.com/remorses/genql/releases/tag/@genql/cli@6.3.4. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all projects using @genql/cli and identify which versions are currently deployed-focus on build pipelines and CI/CD systems that generate client code. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy