GitHub Security Advisories (GHSA) are authoritative notices for vulnerable open-source packages and ecosystems (for example npm, PyPI, or Maven), usually with a linked CVE. Use the search box to find a GHSA or CVE, narrow by ecosystem or severity, or match phrases in the summary.
| GHSA | CVE | Severity | Type | Summary | Published |
|---|---|---|---|---|---|
| GHSA-7f48-x95j-2r8c | CVE-2026-9261 | high | unreviewed | Use of weak SSH cryptographic algorithms in Canon EOS Network Setting Tool Version 1.5.0 or earlier | 2026-06-16 00:34:25 UTC |
| GHSA-3xm9-v8wr-3w5j | CVE-2026-39451 | medium | unreviewed | Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions. | 2026-06-15 21:30:44 UTC |
| GHSA-rc6x-6x52-9whj | CVE-2026-53705 | high | unreviewed | A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a... | 2026-06-15 21:30:42 UTC |
| GHSA-jq35-7prp-9v3f | CVE-2026-48523 | medium | reviewed | PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys | 2026-06-15 19:27:48 UTC |
| GHSA-rrj9-5q2j-4gvr | CVE-2026-48747 | medium | reviewed | Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade | 2026-06-15 17:32:28 UTC |
| GHSA-f9fr-2hr3-67mf | CVE-2026-8385 | medium | unreviewed | The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval... | 2026-06-15 09:30:29 UTC |
| GHSA-7gcf-rrgh-pw4q | CVE-2026-8386 | medium | unreviewed | The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on... | 2026-06-15 09:30:29 UTC |
| GHSA-q5mp-4wmh-7f39 | CVE-2026-9061 | low | unreviewed | The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata... | 2026-06-13 09:31:27 UTC |
| GHSA-g9f3-8379-v2hf | CVE-2026-53867 | medium | unreviewed | Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage... | 2026-06-13 00:34:33 UTC |
| GHSA-2cqf-7mh8-jphj | CVE-2026-53868 | high | unreviewed | Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register... | 2026-06-13 00:34:33 UTC |
| GHSA-8c9q-7855-wfxq | CVE-2026-54090 | high | reviewed | File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection | 2026-06-12 22:52:11 UTC |
| GHSA-j9jx-hp4c-ghhh | CVE-2026-54091 | high | reviewed | File Browser has incorrect access control for public directory shares via rule path rebasing | 2026-06-12 21:53:28 UTC |
| GHSA-gxjx-7m74-hcq8 | CVE-2026-54093 | medium | reviewed | File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames | 2026-06-12 21:53:18 UTC |
| GHSA-239w-m3h6-ch8v | CVE-2026-54094 | medium | reviewed | File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope | 2026-06-12 21:53:10 UTC |
| GHSA-w5fm-68j4-fpc4 | CVE-2026-54092 | high | reviewed | File Browser has a DoS Vulnerability via Public Login API | 2026-06-12 21:51:24 UTC |
| GHSA-c4wp-7485-699w | CVE-2026-54394 | medium | unreviewed | MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The... | 2026-06-12 21:31:46 UTC |
| GHSA-3q2p-72cj-682c | CVE-2026-54096 | high | reviewed | File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path | 2026-06-12 21:07:55 UTC |
| GHSA-5ww9-jg6q-38r7 | CVE-2026-54097 | high | reviewed | File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix | 2026-06-12 21:00:55 UTC |
| GHSA-x4qr-qw6h-wvxq | CVE-2026-46371 | medium | reviewed | Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint | 2026-06-12 21:00:48 UTC |
| GHSA-vxm7-9x8v-8gm4 | CVE-2026-46370 | medium | reviewed | Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint | 2026-06-12 21:00:42 UTC |