CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and...

CVE-2025-68150

CVE-2025-68150 affects Parse Server where the Instagram OAuth adapter allows an attacker to supply a custom apiURL in authData, enabling Server-Side Request Forgery (SSRF) and potentially authentication bypass by hitting malicious endpoints. Root cause: client-provided apiURL is not validated and...

The HTTP request was forbidden with client authentication scheme

Veeam Data Cloud for Microsoft 365 Configuration Check Notice On 2026-05-22, an update to the Veeam Data Cloud for Microsoft 365 services introduced a configuration check to proactively detect configuration issues that may cause the issue described in this article's Challenge section. The Cause a...

EUVD-2024-1387

Malicious code in bioql PyPI...

EUVD-2024-0260

Malicious code in bioql PyPI...

CVE-2025-10867 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests...

Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts

Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that...

CVE-2025-55739

api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© PBX. In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An...

MAL-2025-46919 Malicious code in proto-dependency-graph-api (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis ecf5eff888c8c4922c11f9e7129ce050bb6432ec890c9b527f97254b0cf92690 The OpenSSF Package Analysis project identified 'proto-dependency-graph-api' @ 99.99.99 rubygems as malicious. It is considered malicious becaus...

Malicious code in proto-dependency-graph-api (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis ecf5eff888c8c4922c11f9e7129ce050bb6432ec890c9b527f97254b0cf92690 The OpenSSF Package Analysis project identified 'proto-dependency-graph-api' @ 99.99.99 rubygems as malicious. It is considered malicious becaus...

CVE-2024-35232

github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. accesstoken can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2...

New Malware Campaign Exploits Microsoft Graph API to Infect Windows

FortiGuard Labs discovers an advanced attack using modified Havoc Demon and SharePoint. Explore the attack's evasion techniques and security measures...

FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux

Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster i...

CVE-2024-21632

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

New Go-based Backdoor GoGra Targets South Asian Media Organization

An unnamed media organization in South Asia was targeted in November 20233 using a previously undocumented Go-based backdoor called GoGra. "GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control C&C server hosted on Microsoft mail services," Symantec, part ...

CVE-2024-35232

github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. accesstoken can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2...

CVE-2024-35232

The CVE-2024-35232 issue affects github.com/huandu/facebook, a Go package for Facebook Graph API usage. The root cause is that an access_token can be exposed in error messages during HTTP request failures, enabling potential information disclosure if logs or clients capture those messages. The vu...

Facebook Graph API SDK 安全漏洞

Facebook Graph API SDK is a Go package from the individual developer Huan Du in China. A security vulnerability exists in Facebook Graph API SDK versions prior to 2.7.2, which stems from the fact that accesstoken may be disclosed in an error message when an HTTP request fails...

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control C&C infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of...

CVE-2024-21632

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...