GHSA-qm4w-4995-vg7f · Severity: critical · Ecosystem: npm — cruddl vulnerable to ArangoDB Query Language (AQL) injection through flexSearch
cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas.
Conclusion & alert: CVE-2022-36084 is rated Moderate Risk (61/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.08%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.97% | 1.08% | +0.11% |
| 2 | 2025-11-21 | 1.38% | 0.97% | -0.41% |
| 3 | 2025-11-18 | — | 1.38% | — |
Full EPSS history (12 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.9 | 3.1 | CRITICAL |
|
3.1 | 6.0 | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
GHSA-qm4w-4995-vg7f · Severity: critical · Ecosystem: npm — cruddl vulnerable to ArangoDB Query Language (AQL) injection through flexSearch
| URL | Tags |
|---|---|
| https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698 | Patch Third Party Advisory |
| https://github.com/AEB-labs/cruddl/pull/253 | Patch Third Party Advisory |
| https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f | Vendor Advisory |