CVE-2026-47707 is a vulnerability in the MaxAliasesLimiter extension of Strawberry GraphQL, a library for creating GraphQL APIs. Versions 0.172.0 through 0.315.6 are affected. The extension fails to account for the multiplicative effect of FragmentSpreadNode, allowing attackers to bypass alias limits. This can lead to a denial-of-service (DOS) via resource exhaustion. The issue has been fixed in version 0.315.7.
CVE-2026-47706 is a medium-severity vulnerability in Strawberry GraphQL, a library for creating GraphQL APIs. The vulnerability affects versions 0.71.0 through 0.315.6 and is caused by a lack of cycle detection in fragment spreads, leading to an application-level denial of service (DOS). When a query contains circular fragment references, the `determine_depth` function enters an infinite recursion, result [truncated]
CVE-2026-45739 is a low-severity vulnerability in Strawberry GraphQL, a library for creating GraphQL APIs. The issue, patched in version 0.315.4, involves the bundled GraphiQL template writing values from the GraphiQL headers editor into the browser URL query string. This could potentially expose sensitive headers, such as authentication tokens, in browser history, copied links, and server/proxy/CDN acces [truncated]
