[HIGH] webonyx/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input

PKSA-xwpn-zs9j-6wy5 GHSA-r7cg-qjjm-xhqq

Affected version: <=15.32.2

Reported by:
GitHub

[HIGH] webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments

PKSA-sf9j-1gs7-xzvx GHSA-fc86-6rv6-2jpm

Affected version: <15.32.2

Reported by:
GitHub

[MEDIUM] graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation

PKSA-7h5p-prw9-w5nr CVE-2026-40476 GHSA-68jq-c3rv-pcrr

Affected version: <=15.31.4

Reported by:
GitHub