Yogu

**Name of the Vulnerable Software and Affected Versions** cruddl versions 1.1.0 through 2.6.x cruddl versions 3.0.0 through 3.0.1 **Description** The issue affects cruddl when used to generate a schema that uses `@flexSearchFulltext`. Users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. **Recommendations** For cruddl versions 1.1.0 through 2.6.x, update to version 2.7.0 to resolve the issue. For cruddl versions 3.0.0 through 3.0.1, update to version 3.0.2 to resolve the issue. As a temporary workaround, consider removing `@flexSearchFulltext` from your schemas until you can update cruddl.