GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

GraphQL query operations security can be bypassed

Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...

PT-2025-22201

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The issue arises when the kernel contains a large number of functions that can be traced. The loop in ftrace graph set hash may take a significant amount of time to execute, potentially...

AWS VDP: Non-Production API Endpoints for the Neptune Graph Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The non-production API endpoints for the Neptune Graph Service were found to fail logging to CloudTrail, resulting in silent permission enumeration. Specifically, seven non-production endpoints were identified that could be used with standard IAM credentials without generating CloudTrail logs. Th...

Malicious code in @sas-dvr/nova-graph (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 2ee49dd296a0db13b0118e5424d00aac99ea70cc3664bba504af096916e31998 The OpenSSF Package Analysis project identified '@sas-dvr/nova-graph' @ 132.0.0 npm as malicious. It is considered malicious because: - The...

SUSE CVE-2022-49752

In the Linux kernel, the following vulnerability has been resolved: device property: fix of node refcount leak in fwnodegraphgetnextendpoint The 'parent' returned by fwnodegraphgetportparent with refcount incremented when 'prev' is not NULL, it needs be put when finish using it. Because the paren...

DEBIAN-CVE-2022-49752

In the Linux kernel, the following vulnerability has been resolved: device property: fix of node refcount leak in fwnodegraphgetnextendpoint The 'parent' returned by fwnodegraphgetportparent with refcount incremented when 'prev' is not NULL, it needs be put when finish using it. Because the paren...

UBUNTU-CVE-2022-49752

In the Linux kernel, the following vulnerability has been resolved: device property: fix of node refcount leak in fwnodegraphgetnextendpoint The 'parent' returned by fwnodegraphgetportparent with refcount incremented when 'prev' is not NULL, it needs be put when finish using it. Because the paren...

CVE-2022-49752 device property: fix of node refcount leak in fwnode_graph_get_next_endpoint()

In the Linux kernel, the following vulnerability has been resolved: device property: fix of node refcount leak in fwnodegraphgetnextendpoint The 'parent' returned by fwnodegraphgetportparent with refcount incremented when 'prev' is not NULL, it needs be put when finish using it. Because the paren...

CVE-2025-27793

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code...

PT-2025-13294 · Linux +2 · Linux Kernel +2

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A node refcount leak issue has been identified in the function fwnode graph get next endpoint. This occurs because the parent returned by fwnode graph get port parent has its refcount...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in Linux kernel, which stems from a fwnodegraphgetnextendpoint reference count leak...

The vulnerability of the mod_graph_auth_uri_handler() function in D-Link’s wireless repeater software DAP-1620 allows a hacker to execute arbitrary code or cause a service failure.

The vulnerability of the modgraphauthurihandler function in the wireless repeater software from D-Link, the DAP-1620, relates to the escape of operations beyond the buffer in memory. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code or cause a service failure b...

Allocation of Resources Without Limits or Throttling

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handlers.p...

New Malware Campaign Exploits Microsoft Graph API to Infect Windows

FortiGuard Labs discovers an advanced attack using modified Havoc Demon and SharePoint. Explore the attack's evasion techniques and security measures...

WordPress WPO365 | MICROSOFT 365 GRAPH MAILER plugin <= 3.2 - Open Redirect via 'redirect_to' Parameter vulnerability

Open Redirect via 'redirectto' Parameter vulnerability discovered by Krzysztof Zając in WordPress Plugin WPO365 | MICROSOFT 365 GRAPH MAILER versions = 3.2...

CVE-2025-27348

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Daniel WP Social SEO Booster – Knowledge Graph Social Signals SEO wp-social-seo-booster allows Stored XSS.This issue affects WP Social SEO Booster – Knowledge Graph Social Signals SEO: from n/a...

WordPress WP Social SEO Booster plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin WP Social SEO Booster – Knowledge Graph Social Signals SEO versions = 1.2.0...

CVE-2025-27348

CVE-2025-27348 pertains to a Stored XSS in the WordPress plugin WP Social SEO Booster – Knowledge Graph Social Signals SEO, affecting versions n/a through 1.2.0. The root cause, per the sources, is improper neutralization of input during web page generation. The vulnerability enables stored cross...

CVE-2025-1488

The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirectto' parameter. This makes it possible for unauthenticated attackers to redire...