๐Ÿ” CVE Alert

CVE-2026-63397

MEDIUM 6.4

remorses/genql code injection

CVSS Score
6.4
EPSS Score
0.0%
EPSS Percentile
0th

remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported.

CWE CWE-116
Vendor remorses
Product genql
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for remorses genql

Be the first to know when new medium vulnerabilities affecting remorses genql are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

remorses / genql
0 < 6.3.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/remorses/genql/releases/tag/%40genql%2Fcli%406.3.4 cve.org: https://www.cve.org/CVERecord?id=CVE-2026-63397 github.com: https://github.com/remorses/genql raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-197-01.json

Credits

Hamza Haroon