**GitHub 安全公告(GHSA)** 是针对易受攻击的开源包与生态(如 npm、PyPI、Maven)的权威通告,通常关联 **CVE**。 使用搜索框查找 GHSA 或 CVE,按生态或严重度筛选,或在摘要中匹配短语。
| GHSA | CVE | 严重度 | 类型 | 摘要 | 公开时间 |
|---|---|---|---|---|---|
| GHSA-2fp4-5v5c-4448 | CVE-2026-49339 | high | reviewed | gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists | 2026-06-26 23:32:10 UTC |
| GHSA-4gxv-p5g5-j7w7 | CVE-2026-49340 | high | reviewed | gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host | 2026-06-26 23:21:42 UTC |
| GHSA-gj8w-mvpf-x27x | CVE-2026-55697 | high | reviewed | pnpm: Repository-controlled configDependencies can select a pacquet native install engine | 2026-06-26 23:20:47 UTC |
| GHSA-5wx6-mg75-v57r | CVE-2026-55487 | high | reviewed | pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle | 2026-06-26 23:18:13 UTC |
| GHSA-3qhv-2rgh-x77r | CVE-2026-55180 | medium | reviewed | pnpm: Repository config can expand victim environment secrets into registry requests before scripts run | 2026-06-26 23:12:25 UTC |
| GHSA-44cp-c3ww-9rv5 | CVE-2026-53465 | medium | reviewed | ImageMagick has a Heap Buffer Over-Write in SF3 encoder when writing multi-frame image | 2026-06-26 23:11:49 UTC |
| GHSA-j989-f892-2335 | CVE-2026-53464 | medium | reviewed | ImageMagick: Memory Leak in wand option parser when providing invalid arguments | 2026-06-26 23:11:25 UTC |
| GHSA-7mqq-4v55-88gh | CVE-2026-54244 | low | reviewed | Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors | 2026-06-26 23:10:37 UTC |
| GHSA-9rc6-8cjv-rcvx | CVE-2026-53523 | medium | reviewed | Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection | 2026-06-26 23:05:19 UTC |
| GHSA-jg62-j5h6-8mpq | CVE-2026-53522 | medium | reviewed | Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS | 2026-06-26 23:04:18 UTC |
| GHSA-h77m-qrj7-jxcw | CVE-2026-54243 | medium | reviewed | Statamic Vulnerable to CSV formula injection in form submission exports | 2026-06-26 23:03:56 UTC |
| GHSA-v5c4-wcpj-x73m | CVE-2026-54242 | medium | reviewed | Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) | 2026-06-26 23:03:28 UTC |
| GHSA-5c25-7vpj-9mqh | CVE-2026-53519 | critical | reviewed | Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key | 2026-06-26 23:03:13 UTC |
| GHSA-39g2-8x68-pmx8 | CVE-2026-53521 | medium | reviewed | Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context | 2026-06-26 23:02:37 UTC |
| GHSA-x6fg-52vr-hj4w | CVE-2026-53520 | medium | reviewed | Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing | 2026-06-26 23:00:14 UTC |
| GHSA-rxhj-4m44-96r4 | CVE-2026-50015 | high | reviewed | pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) | 2026-06-26 22:59:48 UTC |
| GHSA-cjhr-43r9-cfmw | CVE-2026-50017 | medium | reviewed | pnpm binds unscoped user-level npm auth credentials to a repository-selected registry | 2026-06-26 22:59:25 UTC |
| GHSA-hwx4-2j3j-g496 | CVE-2026-50016 | high | reviewed | pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement | 2026-06-26 22:55:51 UTC |
| GHSA-p4xf-rf54-rj3x | CVE-2026-50014 | medium | reviewed | pnpm: Git Fetch Argument Injection via Lockfile resolution.commit | 2026-06-26 22:53:21 UTC |
| GHSA-q6j5-fjx5-2mc3 | CVE-2026-50021 | medium | reviewed | pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field | 2026-06-26 22:53:01 UTC |