GitHub Security Advisories(GHSA)は、npm・PyPI・Maven などのオープンソース向けエコシステムで影響を受けるパッケージに対する正式な注意喚起で、多くの場合 CVE とリンクされています。 検索ボックスで GHSA や CVE を探し、エコシステムや深刻度で絞り込むか、概要文にフレーズ一致させます。
| GHSA | CVE | 深刻度 | タイプ | 概要 | 公開 |
|---|---|---|---|---|---|
| GHSA-wwf9-7jrc-rv4q | CVE-2026-55650 | medium | reviewed | Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure | 2026-06-19 21:18:44 UTC |
| GHSA-ccv6-r384-xp75 | CVE-2026-55447 | critical | reviewed | Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit | 2026-06-19 21:18:24 UTC |
| GHSA-qwqc-p3q8-wcg9 | CVE-2026-55446 | high | reviewed | Langflow: Unauthenticated DoS through multipart form boundary file upload | 2026-06-19 21:17:37 UTC |
| GHSA-7hw8-6q6r-4276 | CVE-2026-55423 | medium | reviewed | Langflow: Logout button does not clear session | 2026-06-19 21:17:01 UTC |
| GHSA-qrpv-q767-xqq2 | CVE-2026-55255 | critical | reviewed | Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow | 2026-06-19 21:16:46 UTC |
| GHSA-h4gh-22qq-72r7 | CVE-2026-55206 | medium | reviewed | py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read() | 2026-06-19 21:16:33 UTC |
| GHSA-gjrg-mpp7-g774 | CVE-2026-55195 | medium | reviewed | py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size | 2026-06-19 21:16:29 UTC |
| GHSA-w4mc-hhc6-xp28 | CVE-2026-55187 | medium | reviewed | Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms | 2026-06-19 21:16:21 UTC |
| GHSA-m999-j542-5w3r | CVE-2026-55185 | medium | reviewed | Open Redirect Bypass in miniflux-v2 | 2026-06-19 21:16:13 UTC |
| GHSA-c7jm-38gq-h67h | — | medium | reviewed | http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments | 2026-06-19 21:16:09 UTC |
| GHSA-pr33-38xx-6r26 | — | medium | reviewed | http4k: BasicCookieStorage` (renamed `InsecureCookieStorage`) did not enforce RFC 6265 cookie scoping; new `DefaultCookieStorage` is now the default | 2026-06-19 21:16:07 UTC |
| GHSA-m4w9-hjfw-vwj4 | — | high | reviewed | http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac` | 2026-06-19 21:16:03 UTC |
| GHSA-jrpc-7vxp-69p6 | — | medium | reviewed | http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact` | 2026-06-19 21:15:59 UTC |
| GHSA-4mr2-fg2p-w63c | CVE-2026-54762 | medium | reviewed | Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails | 2026-06-19 21:15:56 UTC |
| GHSA-gx93-m64w-5m6h | CVE-2026-55847 | medium | reviewed | Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering | 2026-06-19 21:15:53 UTC |
| GHSA-82cg-3hv7-74gc | CVE-2026-55846 | medium | reviewed | Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read | 2026-06-19 21:15:50 UTC |
| GHSA-rpj2-4hq8-938g | — | high | reviewed | VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files | 2026-06-19 21:15:47 UTC |
| GHSA-jr33-mw75-7j8f | CVE-2026-55837 | medium | reviewed | dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens | 2026-06-19 21:15:40 UTC |
| GHSA-p5wc-9w9r-m232 | — | high | reviewed | Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser | 2026-06-19 21:15:36 UTC |
| GHSA-8823-qg2x-pv9f | — | high | reviewed | Ultimate Sitemap Parser (USP): Gzip Decompression Bomb Bypasses Sitemap Size Limit | 2026-06-19 21:15:34 UTC |