{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T03:18:25.860","vulnerabilities":[{"cve":{"id":"CVE-2020-4038","sourceIdentifier":"security-advisories@github.com","published":"2020-06-08T21:15:09.923","lastModified":"2024-11-21T05:32:11.997","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13."},{"lang":"es","value":"GraphQL Playground (paquete Graphql-playground-html NPM) versión anterior a 1.6.22, presenta una grave vulnerabilidad de ataque de Reflexión XSS. Toda entrada de usuario no saneada que es pasada al método renderPlaygroundPage() podría desencadenar esta vulnerabilidad. Esto ha sido parcheado en graphql-playground-html versión 1.6.22. Tome en cuenta que algunos de los paquetes de middleware dependientes asociados también están afectados, incluidos, entre otros, graphql-playground-middleware-express versión anterior a 1.7.16, graphql-playground-middleware-koa versión anterior a 1.6.15, graphql-playground-middleware-lambda versión anterior a 1.7.17, y graphql-playground-middleware-hapi versión anterior a 1.6.13"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.0}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:prisma:graphql-playground-html:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.6.22","matchCriteriaId":"ABADBEC8-9462-4D41-9CF2-AAE06F44B192"},{"vulnerable":true,"criteria":"cpe:2.3:a:prisma:graphql-playground-middleware-express:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.7.16","matchCriteriaId":"8277C213-ED4A-495C-8F78-3A6BAB562EEA"},{"vulnerable":true,"criteria":"cpe:2.3:a:prisma:graphql-playground-middleware-hapi:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.6.13","matchCriteriaId":"8FF9861D-5F51-4395-8399-B20E883D1AE4"},{"vulnerable":true,"criteria":"cpe:2.3:a:prisma:graphql-playground-middleware-koa:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.6.15","matchCriteriaId":"2CEB6EE1-895A-4729-9E77-64B758B1F8A9"},{"vulnerable":true,"criteria":"cpe:2.3:a:prisma:graphql-playground-middleware-lambda:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.7.17","matchCriteriaId":"A2DF5937-B97F-4B80-9258-4F289B450F3E"}]}]}],"references":[{"url":"https://github.com/prisma-labs/graphql-playground#security-details","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf","source":"security-advisories@github.com","tags":["Mitigation","Third Party Advisory"]},{"url":"https://github.com/prisma-labs/graphql-playground#security-details","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mitigation","Third Party Advisory"]}]}}]}