GitHub Security Advisories (GHSA) are authoritative notices for vulnerable open-source packages and ecosystems (for example npm, PyPI, or Maven), usually with a linked CVE. Use the search box to find a GHSA or CVE, narrow by ecosystem or severity, or match phrases in the summary.
| GHSA | CVE | Severity | Type | Summary | Published |
|---|---|---|---|---|---|
| GHSA-5pmv-rx8r-wmv5 | CVE-2026-52834 | high | reviewed | jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow | 2026-07-02 20:45:59 UTC |
| GHSA-66m8-c62j-h6v5 | — | medium | reviewed | jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow | 2026-07-02 20:45:10 UTC |
| GHSA-2v8p-fqpx-2q3w | — | medium | reviewed | jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS) | 2026-07-02 20:44:57 UTC |
| GHSA-63wg-wjjj-7cp8 | CVE-2026-52829 | high | reviewed | Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update | 2026-07-02 20:26:56 UTC |
| GHSA-65jj-fmw8-468q | CVE-2026-52734 | medium | reviewed | zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention | 2026-07-02 20:12:35 UTC |
| GHSA-2gf8-q9rr-jq3h | CVE-2026-52733 | medium | reviewed | zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip | 2026-07-02 20:11:36 UTC |
| GHSA-hhm7-qrv5-h4r6 | CVE-2026-52739 | medium | reviewed | Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection | 2026-07-02 19:46:35 UTC |
| GHSA-w834-cf6p-9m9w | CVE-2026-52738 | medium | reviewed | Zebra: Finalized address balance credit-first overflow on consensus-valid blocks | 2026-07-02 19:44:54 UTC |
| GHSA-gvjc-3w7c-92jx | CVE-2026-52737 | medium | reviewed | Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block | 2026-07-02 19:44:24 UTC |
| GHSA-gf9r-m956-97qx | CVE-2026-52735 | critical | reviewed | zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser | 2026-07-02 19:43:36 UTC |
| GHSA-4m69-67m6-prqp | CVE-2026-52736 | high | reviewed | Zebra has block suppression via NU5 same-header body poisoning of sent-hash cache | 2026-07-02 19:43:08 UTC |
| GHSA-h72h-ppcx-998p | — | low | reviewed | Zebra has pre-handshake buffer capacity reservation based on attacker-claimed body length | 2026-07-02 19:42:05 UTC |
| GHSA-4fc2-h7jh-287c | CVE-2026-52732 | medium | reviewed | zebrad has mempool transaction admission denial via single-peer inbound queue saturation | 2026-07-02 19:39:02 UTC |
| GHSA-c8w6-x74f-vmg3 | — | medium | reviewed | zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers | 2026-07-02 19:37:58 UTC |
| GHSA-443g-gwgp-49x4 | — | low | reviewed | zebrad vulnerable to getblocks/getheaders locator CPU amplification via uncapped vector length | 2026-07-02 19:34:21 UTC |
| GHSA-qv2r-v3mx-f4pf | CVE-2026-52731 | medium | reviewed | zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate | 2026-07-02 19:28:03 UTC |
| GHSA-77q5-rr5v-x43q | — | high | reviewed | OpenClaw: Trusted retry endpoint checks could match hostname prefixes | 2026-07-02 17:22:11 UTC |
| GHSA-3rjw-m598-pq24 | CVE-2026-50185 | medium | reviewed | Cmov/CmovEq on aarch64 can produce wrong results if high-bits of registers are set | 2026-07-02 17:18:11 UTC |
| GHSA-qjpc-qf9m-xwmr | — | high | reviewed | OpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing | 2026-07-02 16:43:53 UTC |
| GHSA-rggc-m335-3wvj | — | high | reviewed | OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers | 2026-07-02 16:03:10 UTC |