CVE-2026-28410HIGH 8.1EPSS p13.4%

CVE-2026-28410CVE-2026-28410

Description

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.23% probability of exploitation · percentile 13.4% · 2026-06-18T12:00:27Z
Published2026-03-05
Last modified2026-03-10

Underlying weaknesses· 2

CWE-284CWE-682

References

  1. https://github.com/graphprotocol/contracts/commit/91224ed83eeff3fc3afea01f5ed269373d9bf773
  2. https://github.com/graphprotocol/contracts/security/advisories/GHSA-qx35-rc5x-x39r

2

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live
WeaknessIncorrect Calculationcwe-6820%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-25962
CVE
CVE-2026-4931
CVE
CVE-2025-57247
CVE
CVE-2026-10584
CVE
CVE-2026-41328
CVE
CVE-2026-4148
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.