GitHub Security Advisories (GHSA) are authoritative notices for vulnerable open-source packages and ecosystems (for example npm, PyPI, or Maven), usually with a linked CVE. Use the search box to find a GHSA or CVE, narrow by ecosystem or severity, or match phrases in the summary.
| GHSA | CVE | Severity | Type | Summary | Published |
|---|---|---|---|---|---|
| GHSA-mx8g-39q3-5c79 | CVE-2026-9595 | medium | reviewed | webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies | 2026-06-17 18:13:31 UTC |
| GHSA-72gw-mp4g-v24j | CVE-2026-5079 | high | reviewed | Multer vulnerable to Denial of Service via deeply nested field names | 2026-06-17 18:12:27 UTC |
| GHSA-3p4h-7m6x-2hcm | CVE-2026-5038 | medium | reviewed | Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads | 2026-06-17 18:11:48 UTC |
| GHSA-fg94-h982-f3mm | CVE-2026-54316 | medium | reviewed | Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch | 2026-06-17 18:06:06 UTC |
| GHSA-rjxq-qqhf-8hwh | CVE-2026-53840 | high | reviewed | OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin | 2026-06-17 17:55:06 UTC |
| GHSA-hmcr-rmjq-47qr | CVE-2026-53931 | medium | reviewed | NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint | 2026-06-17 14:08:26 UTC |
| GHSA-h6vv-pcq8-7xm4 | CVE-2026-53930 | medium | reviewed | NocoDB: Server-Side Request Forgery via Base Migration URL | 2026-06-17 14:08:04 UTC |
| GHSA-6mhr-74x2-98v9 | CVE-2026-53929 | medium | reviewed | NocoDB: Stored Cross-Site Scripting via Secure Attachment | 2026-06-17 14:07:52 UTC |
| GHSA-r989-7g3j-wjhw | CVE-2026-53928 | medium | reviewed | NocoDB: Refresh Tokens Persist Through Password Recovery | 2026-06-17 14:07:33 UTC |
| GHSA-gprh-27j3-g5h4 | CVE-2026-53927 | medium | reviewed | NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL | 2026-06-17 14:06:43 UTC |
| GHSA-3pvj-jv98-qhjq | CVE-2026-53765 | medium | reviewed | Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory | 2026-06-17 14:01:04 UTC |
| GHSA-664h-gpgq-h6xx | — | medium | reviewed | n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints | 2026-06-17 13:55:59 UTC |
| GHSA-mqxh-6gq7-558m | CVE-2026-54325 | medium | reviewed | Pi Agent: Pi loads project-local extensions without approval | 2026-06-17 13:55:44 UTC |
| GHSA-jfgx-wxx8-mp94 | CVE-2026-54328 | high | reviewed | Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts | 2026-06-17 13:55:13 UTC |
| GHSA-r95r-rj6r-c39x | CVE-2026-54327 | low | reviewed | Pi Agent: Race condition in Pi auth.json writes could expose stored credentials | 2026-06-17 13:54:37 UTC |
| GHSA-7v5m-pr3q-6453 | CVE-2026-54326 | low | reviewed | Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass | 2026-06-16 23:43:15 UTC |
| GHSA-x6qj-4h56-5rj5 | CVE-2026-49993 | medium | reviewed | @nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g) | 2026-06-16 23:39:16 UTC |
| GHSA-m3q2-p4fw-w38m | — | low | reviewed | Cross-site scripting via <NoScript> slot content in Nuxt's head components | 2026-06-16 23:38:47 UTC |
| GHSA-rm2v-h48j-895m | CVE-2026-54304 | high | reviewed | n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host | 2026-06-16 23:34:10 UTC |
| GHSA-qrx8-25qr-5r7v | CVE-2026-54309 | high | reviewed | n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions | 2026-06-16 23:32:31 UTC |