Skip to main content

Genql

1 CVEs product

Monthly

CVE-2026-63397 HIGH PATCH This Week

Code injection in remorses/genql (the @genql/cli TypeScript GraphQL client generator) before 6.3.4 lets an actor who controls the GraphQL schema fed to genql smuggle arbitrary TypeScript/JavaScript into the generated schema.ts file, which then executes when a downstream consumer bundles and imports the client. The flaw stems from GraphQL type/field descriptions containing a `*/` sequence that breaks out of the generated JSDoc comment block. There is no public exploit identified at time of analysis and it is not in CISA KEV; the issue was responsibly disclosed (issue #197) and reported by CISA (cisa-cg), with a vendor patch in 6.3.4.

RCE Genql
NVD GitHub
CVSS 4.0
7.1
CVSS 7.1
HIGH PATCH This Week

Code injection in remorses/genql (the @genql/cli TypeScript GraphQL client generator) before 6.3.4 lets an actor who controls the GraphQL schema fed to genql smuggle arbitrary TypeScript/JavaScript into the generated schema.ts file, which then executes when a downstream consumer bundles and imports the client. The flaw stems from GraphQL type/field descriptions containing a `*/` sequence that breaks out of the generated JSDoc comment block. There is no public exploit identified at time of analysis and it is not in CISA KEV; the issue was responsibly disclosed (issue #197) and reported by CISA (cisa-cg), with a vendor patch in 6.3.4.

RCE Genql
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy