CVE-2025-59845HIGH 8.2EPSS p4.1%

CVE-2025-59845CVE-2025-59845

Description

Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
EPSS0.14% probability of exploitation · percentile 4.1% · 2026-06-19T12:03:05Z
Published2025-09-26
Last modified2026-04-15

Underlying weaknesses· 2

CWE-346CWE-352

References

  1. https://github.com/apollographql/embeddable-explorer/security/advisories/GHSA-w87v-7w53-wwxv

2

TypeTargetConfidenceTier
WeaknessOrigin Validation Errorcwe-3460%live
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-11424
CVE
CVE-2025-32354
CVE
CVE-2026-35577
CVE
CVE-2025-14472
CVE
CVE-2025-58469
CVE
CVE-2025-15405
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.