GitHub Security Advisories (GHSA) are authoritative notices for vulnerable open-source packages and ecosystems (for example npm, PyPI, or Maven), usually with a linked CVE. Use the search box to find a GHSA or CVE, narrow by ecosystem or severity, or match phrases in the summary.
| GHSA | CVE | Severity | Type | Summary | Published |
|---|---|---|---|---|---|
| GHSA-pmm4-v8f6-4vpp | CVE-2026-56382 | high | unreviewed | Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code... | 2026-06-21 15:31:24 UTC |
| GHSA-p9xj-fpr2-jf2q | CVE-2026-55878 | high | reviewed | symfony/ux-toolkit: Path Traversal Allows Arbitrary File Write and Read via Crafted Recipe Manifest | 2026-06-19 21:42:18 UTC |
| GHSA-6v8j-33hc-mv84 | CVE-2026-55877 | medium | reviewed | symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses | 2026-06-19 21:42:15 UTC |
| GHSA-5c7p-g73q-rpg5 | CVE-2026-55692 | high | reviewed | StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled | 2026-06-19 21:41:57 UTC |
| GHSA-h5gm-x9wr-vhcm | CVE-2026-55795 | medium | reviewed | Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass | 2026-06-19 21:15:26 UTC |
| GHSA-78vr-q6cf-c7p6 | — | medium | reviewed | Craft Commerce: Partial Payment Amount Without Lower Bound Validation | 2026-06-19 21:15:23 UTC |
| GHSA-c55v-343g-5xff | CVE-2026-55791 | critical | reviewed | Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs | 2026-06-19 21:15:19 UTC |
| GHSA-7h5p-637f-jfr7 | CVE-2026-55691 | high | reviewed | StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template | 2026-06-19 21:15:03 UTC |
| GHSA-c29q-5xm7-5p62 | CVE-2026-55690 | high | reviewed | StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text | 2026-06-19 21:14:15 UTC |
| GHSA-mwqm-4fw3-cjvr | CVE-2026-49216 | medium | reviewed | symfony/ux-autocomplete: XSS via unescaped AJAX response data | 2026-06-19 19:35:05 UTC |
| GHSA-4m4j-hmqq-3gxm | CVE-2026-49215 | low | reviewed | symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted | 2026-06-19 19:35:01 UTC |
| GHSA-34w5-c283-j9fg | CVE-2026-49212 | low | reviewed | symfony/ux-live-component: LiveComponentHydrator HMAC checksum lacks component and slot binding | 2026-06-19 19:34:56 UTC |
| GHSA-946h-jp5c-8fvh | CVE-2026-49211 | medium | reviewed | symfony/ux-autocomplete: Information exposure via unescaped LIKE wildcards in EntitySearchUtil | 2026-06-19 19:34:53 UTC |
| GHSA-38x5-rcv4-xf7x | CVE-2026-49210 | medium | reviewed | symfony/ux-live-component: XSS via attacker-controlled child component tag | 2026-06-19 19:34:49 UTC |
| GHSA-mm82-c99c-h2cf | CVE-2026-49209 | low | reviewed | symfony/ux-live-component: Denial of service via unbounded batch action requests | 2026-06-19 19:34:45 UTC |
| GHSA-89g7-22c8-3j23 | CVE-2026-49208 | medium | reviewed | ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor | 2026-06-19 19:23:55 UTC |
| GHSA-cwxw-98qj-8qjx | CVE-2026-55767 | medium | reviewed | guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts | 2026-06-19 14:37:29 UTC |
| GHSA-vm85-hxw5-5432 | CVE-2026-55766 | medium | reviewed | guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization | 2026-06-19 14:35:57 UTC |
| GHSA-wpwq-4j6v-78m3 | CVE-2026-55568 | medium | reviewed | guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext | 2026-06-19 14:17:59 UTC |
| GHSA-37pm-83g7-r22v | CVE-2026-55375 | medium | reviewed | canto-saas-api: OAuth credentials exposed in URL query string and exception messages | 2026-06-19 14:16:41 UTC |