CVE-2026-63397
Received Received - Intake

Authenticated JavaScript Injection in GenQL Code Generator

Vulnerability report for CVE-2026-63397, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description

remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
remorses genql to 6.3.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a code injection flaw in the remorses/genql library before version 6.3.4. An authenticated attacker with control over the GraphQL schema can inject arbitrary JavaScript or TypeScript code into the generated schema.ts file. This malicious code executes when the genql client is bundled and imported by the victim.

Detection Guidance

Check if your system uses @genql/cli versions before 6.3.4 by inspecting package.json or running npm list @genql/cli. Look for generated schema.ts files containing suspicious TypeScript code or JSDoc comments with unescaped '*/' sequences.

Impact Analysis

If you use an affected version of genql and process schemas from untrusted sources, an attacker could inject malicious code that runs in your application. This could lead to data theft, unauthorized actions, or further compromise of your system depending on the privileges of the application.

Compliance Impact

This vulnerability could lead to unauthorized code execution, potentially exposing sensitive data. For GDPR, this may result in violations of data protection principles if personal data is accessed or exfiltrated. For HIPAA, it could compromise protected health information if healthcare systems are affected. Compliance may be impacted if the vulnerability enables data breaches or unauthorized access to regulated data.

Mitigation Strategies

Upgrade @genql/cli to version 6.3.4 or later. If using untrusted GraphQL schemas, sanitize descriptions by escaping '*/' to '*\/' before passing them to generate(). Review generated schema.ts files for unexpected code injections.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart