**GitHub 安全公告(GHSA)** 是针对易受攻击的开源包与生态(如 npm、PyPI、Maven)的权威通告,通常关联 **CVE**。 使用搜索框查找 GHSA 或 CVE,按生态或严重度筛选,或在摘要中匹配短语。
| GHSA | CVE | 严重度 | 类型 | 摘要 | 公开时间 |
|---|---|---|---|---|---|
| GHSA-wmg3-h8mf-wgvr | CVE-2026-61459 | critical | unreviewed | MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured... | 2026-07-10 21:32:32 UTC |
| GHSA-q94r-r39w-76f6 | CVE-2026-5801 | critical | unreviewed | Improper neutralization of special elements used in an SQL command ('SQL injection')... | 2026-07-10 21:32:32 UTC |
| GHSA-hw83-q5rh-7hgf | CVE-2026-61461 | high | unreviewed | Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend... | 2026-07-10 21:32:32 UTC |
| GHSA-g6gj-wmj4-88pr | CVE-2026-6212 | high | unreviewed | Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies... | 2026-07-10 21:32:32 UTC |
| GHSA-9qgj-r9fj-454p | CVE-2026-61460 | high | unreviewed | Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in... | 2026-07-10 21:32:32 UTC |
| GHSA-w2cw-hx5v-f37r | CVE-2025-30008 | medium | unreviewed | HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows... | 2026-07-10 21:32:30 UTC |
| GHSA-77jw-q7w3-q2hw | CVE-2026-15146 | medium | unreviewed | GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP... | 2026-07-10 21:32:30 UTC |
| GHSA-5c2f-7vp3-pm3x | CVE-2025-30007 | high | unreviewed | HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows... | 2026-07-10 21:32:29 UTC |
| GHSA-48rx-c7pg-q66r | CVE-2026-54171 | medium | reviewed | Excon does not redact additional sensitive/risky headers when following redirects | 2026-07-10 20:37:29 UTC |
| GHSA-h4g2-xfmw-q2c9 | — | high | reviewed | Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset | 2026-07-10 20:37:23 UTC |
| GHSA-rqq5-2gf9-4w4q | CVE-2026-54163 | medium | reviewed | Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input | 2026-07-10 20:37:15 UTC |
| GHSA-56mp-4f3v-fgj2 | CVE-2026-50551 | critical | reviewed | SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content | 2026-07-10 20:37:04 UTC |
| GHSA-m5f5-28qr-9g9r | CVE-2026-54159 | critical | reviewed | prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE | 2026-07-10 20:36:56 UTC |
| GHSA-5xfx-xj4h-5p7r | CVE-2026-54158 | critical | reviewed | SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() | 2026-07-10 19:34:53 UTC |
| GHSA-g5r6-gv6m-f5jv | — | high | reviewed | mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment | 2026-07-10 19:34:37 UTC |
| GHSA-wm45-qh3g-v83f | — | high | reviewed | mcp-atlassian: Arbitrary server-side file read via attachment upload | 2026-07-10 19:34:30 UTC |
| GHSA-xrmc-c5cg-rv7x | — | high | reviewed | SafeInstall agent guard shell parsing can miss raw package execution | 2026-07-10 19:34:14 UTC |
| GHSA-qv4m-m73m-8hj7 | — | high | reviewed | NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file) | 2026-07-10 19:34:03 UTC |
| GHSA-m8gf-v64p-gfmg | CVE-2026-54071 | high | reviewed | BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py | 2026-07-10 19:32:44 UTC |
| GHSA-m93h-4hw7-5qcm | CVE-2026-54088 | critical | reviewed | File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) | 2026-07-10 19:32:32 UTC |