GitHub Security Advisories(GHSA)は、npm・PyPI・Maven などのオープンソース向けエコシステムで影響を受けるパッケージに対する正式な注意喚起で、多くの場合 CVE とリンクされています。 検索ボックスで GHSA や CVE を探し、エコシステムや深刻度で絞り込むか、概要文にフレーズ一致させます。
| GHSA | CVE | 深刻度 | タイプ | 概要 | 公開 |
|---|---|---|---|---|---|
| GHSA-4xpc-pv4p-pm3w | CVE-2026-49468 | critical | reviewed | LiteLLM: Authentication Bypass via Host Header Injection | 2026-06-16 23:38:26 UTC |
| GHSA-69qj-pvh9-c5wg | — | high | reviewed | yt-dlp: Arbitrary command injection possible if --exec option used with yt-dlp | 2026-06-16 22:29:14 UTC |
| GHSA-vx4q-3cr2-7cg2 | CVE-2026-50574 | high | reviewed | yt-dlp: Arbitrary code execution via manifest downloads with aria2c | 2026-06-16 21:13:47 UTC |
| GHSA-6qhc-x826-342c | CVE-2026-53755 | high | reviewed | Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check | 2026-06-16 21:02:55 UTC |
| GHSA-7cx2-g3h9-382p | — | high | reviewed | Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker server | 2026-06-16 21:02:19 UTC |
| GHSA-f989-c77f-r2cq | — | high | reviewed | Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution | 2026-06-16 21:00:31 UTC |
| GHSA-4qqr-vv2q-cmr5 | CVE-2026-53754 | high | reviewed | Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspecified / v4-mapped) | 2026-06-16 21:00:04 UTC |
| GHSA-c6mh-fpjc-4pr3 | CVE-2026-50023 | high | reviewed | yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519) | 2026-06-16 20:59:42 UTC |
| GHSA-f7j3-774f-rfhj | CVE-2026-50019 | medium | reviewed | yt-dlp: File Downloader cookie leak with curl | 2026-06-16 20:16:56 UTC |
| GHSA-365w-hqf6-vxfg | — | critical | reviewed | Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution | 2026-06-16 20:13:30 UTC |
| GHSA-qxjp-w3pj-48m7 | CVE-2026-53753 | critical | reviewed | Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API | 2026-06-16 20:13:07 UTC |
| GHSA-94f4-hr76-p5j6 | CVE-2026-48746 | critical | reviewed | vLLM: OpenAI auth bypass | 2026-06-16 17:36:41 UTC |
| GHSA-rcjh-r59h-gq37 | CVE-2026-48520 | medium | reviewed | Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read | 2026-06-16 17:36:00 UTC |
| GHSA-v5ff-9q35-q26f | CVE-2026-48519 | critical | reviewed | Langflow: Unauthenticated RCE in Shareable Playgrounds | 2026-06-16 17:35:32 UTC |
| GHSA-79ph-745m-6wxq | CVE-2026-42867 | medium | reviewed | Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint | 2026-06-16 17:35:09 UTC |
| GHSA-q8gq-377p-jq3r | CVE-2026-41523 | high | reviewed | vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution | 2026-06-16 17:34:49 UTC |
| GHSA-9c59-2mvc-vfr8 | CVE-2026-33760 | high | reviewed | Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints | 2026-06-16 17:34:21 UTC |
| GHSA-gr75-jv2w-4656 | — | medium | reviewed | LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders | 2026-06-16 15:03:14 UTC |
| GHSA-p4gq-832x-fm9v | CVE-2026-54293 | high | reviewed | Natural Language Toolkit (NLTK): URL-Encoded Path Traversal in nltk.data.load() Allows Arbitrary Local File Read | 2026-06-16 14:34:15 UTC |
| GHSA-gj48-438w-jh9v | — | medium | reviewed | Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes | 2026-06-16 14:07:49 UTC |