GitHub Security Advisories (GHSA) are authoritative notices for vulnerable open-source packages and ecosystems (for example npm, PyPI, or Maven), usually with a linked CVE. Use the search box to find a GHSA or CVE, narrow by ecosystem or severity, or match phrases in the summary.
| GHSA | CVE | Severity | Type | Summary | Published |
|---|---|---|---|---|---|
| GHSA-7jqc-9jj9-67rh | CVE-2026-27333 | high | unreviewed | Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions. | 2026-06-15 21:30:43 UTC |
| GHSA-c653-97m9-rcg9 | CVE-2026-50010 | high | reviewed | Netty: Wrapping plain trust manager silently disables hostname verification | 2026-06-15 20:45:45 UTC |
| GHSA-vxr8-fq34-vvx9 | — | low | reviewed | DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output | 2026-06-15 20:12:53 UTC |
| GHSA-x4vx-rjvf-j5p4 | — | low | reviewed | DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects | 2026-06-15 20:00:02 UTC |
| GHSA-chgr-c6px-7xpp | — | medium | reviewed | PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures | 2026-06-12 20:09:05 UTC |
| GHSA-36hh-v3qg-5jq4 | — | high | reviewed | PyO3 has an Out-of-bounds Read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators | 2026-06-12 19:32:47 UTC |
| GHSA-843m-rfxf-6v2g | CVE-2026-8828 | high | unreviewed | A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows... | 2026-06-12 18:31:59 UTC |
| GHSA-9r4w-jg96-92mv | — | medium | reviewed | Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() | 2026-06-12 15:04:43 UTC |
| GHSA-93g8-qqv3-mrx8 | CVE-2026-50632 | critical | unreviewed | A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can... | 2026-06-12 12:31:34 UTC |
| GHSA-h97p-mrq3-8jwj | CVE-2026-12025 | medium | unreviewed | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.115... | 2026-06-12 00:31:56 UTC |
| GHSA-cc2r-m9h8-v7mj | CVE-2026-12034 | high | unreviewed | Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux... | 2026-06-12 00:31:56 UTC |
| GHSA-4h4g-832r-8c7f | CVE-2026-12009 | high | unreviewed | Insufficient validation of untrusted input in Accessibility in Google Chrome on Mac prior to 149... | 2026-06-12 00:31:55 UTC |
| GHSA-4r3c-5hpg-58qr | CVE-2026-48110 | high | reviewed | Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds | 2026-06-11 20:33:21 UTC |
| GHSA-76r6-x97p-67vr | CVE-2026-48108 | medium | reviewed | Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input | 2026-06-11 20:29:14 UTC |
| GHSA-g9g7-5cgw-6v28 | CVE-2026-48107 | medium | reviewed | Russh: Unchecked keyboard-interactive prompt count in client auth path | 2026-06-11 20:28:56 UTC |
| GHSA-q89f-427x-5p67 | CVE-2026-9758 | high | unreviewed | Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed... | 2026-06-10 15:31:32 UTC |
| GHSA-g759-4pxw-6692 | CVE-2026-48032 | high | reviewed | @hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers | 2026-06-10 13:37:08 UTC |
| GHSA-xq69-5h5v-x9x4 | CVE-2026-41731 | high | reviewed | In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization | 2026-06-10 00:31:52 UTC |
| GHSA-gg69-9wwp-6jx2 | CVE-2026-41732 | high | unreviewed | JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check,... | 2026-06-10 00:31:52 UTC |
| GHSA-x9hc-8r9x-c29v | CVE-2026-48565 | high | unreviewed | Untrusted search path in Windows Narrator Braille allows an authorized attacker to elevate... | 2026-06-09 18:31:00 UTC |