{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10802", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-06-04T05:02:30.479Z", "datePublished": "2026-06-04T11:15:10.397Z", "dateUpdated": "2026-06-04T12:31:20.535Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-06-04T11:15:10.397Z"}, "title": "keystonejs keystone GraphQL API Endpoint output-field.ts resource consumption", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "Resource Consumption"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "keystonejs", "product": "keystone", "versions": [{"version": "20260319", "status": "affected"}], "cpes": ["cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:*:*:*"], "modules": ["GraphQL API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-06-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-06-04T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-06-04T07:07:34.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "nedlir (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/368251", "name": "VDB-368251 | keystonejs keystone GraphQL API Endpoint output-field.ts resource consumption", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/368251/cti", "name": "VDB-368251 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/cve/CVE-2026-10802", "name": "CVE-2026-10802 | CVE Analysis and Report", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/831461", "name": "Submit #831461 | Keystone KeystoneJS 2026-03-19 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/keystonejs/keystone/issues/9789", "tags": ["issue-tracking"]}, {"url": "https://github.com/keystonejs/keystone/pull/9831", "tags": ["issue-tracking", "patch"]}, {"url": "https://gist.github.com/nedlir/0431275665076772844ebfe5167e54f6", "tags": ["exploit"]}, {"url": "https://github.com/keystonejs/keystone/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-04T12:31:14.916360Z", "id": "CVE-2026-10802", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-04T12:31:20.535Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-10802", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-04T12:31:14.916360Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-04T12:31:17.261Z"}}], "cna": {"title": "keystonejs keystone GraphQL API Endpoint output-field.ts resource consumption", "credits": [{"lang": "en", "type": "reporter", "value": "nedlir (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:*:*:*"], "vendor": "keystonejs", "modules": ["GraphQL API Endpoint"], "product": "keystone", "versions": [{"status": "affected", "version": "20260319"}]}], "timeline": [{"lang": "en", "time": "2026-06-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-06-04T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-06-04T07:07:34.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/368251", "name": "VDB-368251 | keystonejs keystone GraphQL API Endpoint output-field.ts resource consumption", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/368251/cti", "name": "VDB-368251 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/cve/CVE-2026-10802", "name": "CVE-2026-10802 | CVE Analysis and Report", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/831461", "name": "Submit #831461 | Keystone KeystoneJS 2026-03-19 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/keystonejs/keystone/issues/9789", "tags": ["issue-tracking"]}, {"url": "https://github.com/keystonejs/keystone/pull/9831", "tags": ["issue-tracking", "patch"]}, {"url": "https://gist.github.com/nedlir/0431275665076772844ebfe5167e54f6", "tags": ["exploit"]}, {"url": "https://github.com/keystonejs/keystone/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-06-04T11:15:10.397Z"}}}, "cveMetadata": {"cveId": "CVE-2026-10802", "state": "PUBLISHED", "dateUpdated": "2026-06-04T12:31:20.535Z", "dateReserved": "2026-06-04T05:02:30.479Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-06-04T11:15:10.397Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance."}], "id": "CVE-2026-10802", "lastModified": "2026-06-04T16:10:59.820", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-06-04T12:16:24.267", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/nedlir/0431275665076772844ebfe5167e54f6"}, {"source": "cna@vuldb.com", "url": "https://github.com/keystonejs/keystone/"}, {"source": "cna@vuldb.com", "url": "https://github.com/keystonejs/keystone/issues/9789"}, {"source": "cna@vuldb.com", "url": "https://github.com/keystonejs/keystone/pull/9831"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/cve/CVE-2026-10802"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/831461"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/368251"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/368251/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "20260319"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "keystone", "source": "cna", "vendor": "keystonejs"}, "product": "keystone", "vendor": "keystonejs"}], "created": "2026-06-04T14:00:14.789619+00:00", "updated": "2026-06-04T14:00:15.363389+00:00", "vendors": ["keystonejs", "keystonejs$PRODUCT$keystone"]}