GitHub Security Advisories(GHSA)は、npm・PyPI・Maven などのオープンソース向けエコシステムで影響を受けるパッケージに対する正式な注意喚起で、多くの場合 CVE とリンクされています。 検索ボックスで GHSA や CVE を探し、エコシステムや深刻度で絞り込むか、概要文にフレーズ一致させます。
| GHSA | CVE | 深刻度 | タイプ | 概要 | 公開 |
|---|---|---|---|---|---|
| GHSA-qrv3-253h-g69c | — | high | reviewed | pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config | 2026-06-27 00:13:18 UTC |
| GHSA-72r4-9c5j-mj57 | — | high | reviewed | pnpm: `patch-remove` could delete project-selected files outside the patches directory | 2026-06-27 00:12:39 UTC |
| GHSA-fr4h-3cph-29xv | — | high | reviewed | pnpm: Hoisted install imports lockfile alias outside node_modules | 2026-06-27 00:02:51 UTC |
| GHSA-v23m-ccfg-pq9h | CVE-2026-55700 | high | reviewed | pnpm: `stage download` writes outside its destination directory via manifest name/version traversal | 2026-06-26 23:54:52 UTC |
| GHSA-4gxm-v5v7-fqc4 | CVE-2026-55699 | medium | reviewed | pnpm: Reserved bin name deletes PNPM_HOME during global remove | 2026-06-26 23:46:53 UTC |
| GHSA-w466-c33r-3gjp | CVE-2026-55698 | high | reviewed | pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes | 2026-06-26 23:34:06 UTC |
| GHSA-gj8w-mvpf-x27x | CVE-2026-55697 | high | reviewed | pnpm: Repository-controlled configDependencies can select a pacquet native install engine | 2026-06-26 23:20:47 UTC |
| GHSA-5wx6-mg75-v57r | CVE-2026-55487 | high | reviewed | pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle | 2026-06-26 23:18:13 UTC |
| GHSA-3qhv-2rgh-x77r | CVE-2026-55180 | medium | reviewed | pnpm: Repository config can expand victim environment secrets into registry requests before scripts run | 2026-06-26 23:12:25 UTC |
| GHSA-rxhj-4m44-96r4 | CVE-2026-50015 | high | reviewed | pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) | 2026-06-26 22:59:48 UTC |
| GHSA-cjhr-43r9-cfmw | CVE-2026-50017 | medium | reviewed | pnpm binds unscoped user-level npm auth credentials to a repository-selected registry | 2026-06-26 22:59:25 UTC |
| GHSA-hwx4-2j3j-g496 | CVE-2026-50016 | high | reviewed | pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement | 2026-06-26 22:55:51 UTC |
| GHSA-p4xf-rf54-rj3x | CVE-2026-50014 | medium | reviewed | pnpm: Git Fetch Argument Injection via Lockfile resolution.commit | 2026-06-26 22:53:21 UTC |
| GHSA-q6j5-fjx5-2mc3 | CVE-2026-50021 | medium | reviewed | pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field | 2026-06-26 22:53:01 UTC |
| GHSA-54hh-g5mx-jqcp | CVE-2026-50573 | medium | reviewed | pnpm: Unsafe default behavior breaks integrity check | 2026-06-26 22:52:33 UTC |
| GHSA-m34p-749j-x6m6 | CVE-2026-50029 | medium | reviewed | js-toml has silent type confusion via falsy-primitive duplicate-key bypass | 2026-06-26 22:49:28 UTC |
| GHSA-396q-4vc8-28x9 | CVE-2026-49336 | medium | reviewed | @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter | 2026-06-26 22:23:11 UTC |
| GHSA-wp3c-266w-4qfq | CVE-2026-49293 | high | reviewed | js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals | 2026-06-26 22:21:43 UTC |
| GHSA-4hf8-5mjm-rfgq | CVE-2026-49357 | high | reviewed | Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication | 2026-06-26 21:50:49 UTC |
| GHSA-hg3w-7f8c-63hp | CVE-2026-48995 | medium | reviewed | pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile | 2026-06-26 21:49:22 UTC |