GitHub Security Advisories (GHSA) are authoritative notices for vulnerable open-source packages and ecosystems (for example npm, PyPI, or Maven), usually with a linked CVE. Use the search box to find a GHSA or CVE, narrow by ecosystem or severity, or match phrases in the summary.
| GHSA | CVE | Severity | Type | Summary | Published |
|---|---|---|---|---|---|
| GHSA-5g9f-cwwg-4p8g | CVE-2026-49358 | low | reviewed | PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles | 2026-06-26 22:10:51 UTC |
| GHSA-2fmj-p74r-3wjm | CVE-2026-49286 | high | reviewed | PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) | 2026-06-26 22:10:00 UTC |
| GHSA-9653-rcfr-5c62 | CVE-2026-47067 | high | reviewed | Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes | 2026-06-26 22:01:36 UTC |
| GHSA-q8jg-fgj4-fphf | CVE-2026-47073 | high | reviewed | Hackney has unbounded buffer accumulation in WebSocket | 2026-06-26 22:00:16 UTC |
| GHSA-f9vr-g2g2-x9fg | CVE-2026-47072 | medium | reviewed | Hackney has CRLF / header injection in WebSocket upgrade request | 2026-06-26 21:59:44 UTC |
| GHSA-j9wq-vxxc-94wf | CVE-2026-47075 | medium | reviewed | Hackney has CR/LF injection in query parameter | 2026-06-26 21:58:59 UTC |
| GHSA-jq4m-q6p2-8gwc | CVE-2026-47074 | high | reviewed | Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM | 2026-06-26 21:57:33 UTC |
| GHSA-h73q-4w9q-82h4 | CVE-2026-47070 | medium | reviewed | Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body | 2026-06-26 21:56:29 UTC |
| GHSA-pj7v-xfvx-wmjq | CVE-2026-47076 | medium | reviewed | Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host | 2026-06-26 21:54:55 UTC |
| GHSA-mp55-p8c9-rfw2 | CVE-2026-47069 | low | reviewed | Hackney has CRLF / header injection via unvalidated `domain` and `path` options | 2026-06-26 21:54:19 UTC |
| GHSA-gp9c-pm5m-5cxr | CVE-2026-47071 | high | reviewed | Hackney: `ssl:connect/2` post-handshake upgrade has no timeout | 2026-06-26 21:53:50 UTC |
| GHSA-6cp8-v795-jr2j | CVE-2026-47066 | high | reviewed | Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry | 2026-06-26 21:53:07 UTC |
| GHSA-4hf8-5mjm-rfgq | CVE-2026-49357 | high | reviewed | Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication | 2026-06-26 21:50:49 UTC |
| GHSA-mmj8-wcvw-6789 | CVE-2026-49262 | low | reviewed | Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy | 2026-06-26 21:50:10 UTC |
| GHSA-hg3w-7f8c-63hp | CVE-2026-48995 | medium | reviewed | pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile | 2026-06-26 21:49:22 UTC |
| GHSA-jq42-7mfv-hm57 | CVE-2026-5223 | medium | reviewed | Cargo crates in third party registries can override the cached source of other crates | 2026-06-26 21:48:43 UTC |
| GHSA-p688-r7jv-fm6f | CVE-2026-5222 | low | reviewed | Cargo can be coerced to share credentials between registries | 2026-06-26 21:47:54 UTC |
| GHSA-f5gc-qxf8-mh9g | CVE-2026-49260 | high | reviewed | php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc) | 2026-06-26 21:46:27 UTC |
| GHSA-vrwh-33vr-jg7w | CVE-2024-23581 | medium | unreviewed | The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious... | 2026-06-26 21:32:18 UTC |
| GHSA-r88h-63mh-cc6h | CVE-2026-53320 | unknown | unreviewed | In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject zero... | 2026-06-26 21:32:18 UTC |