**GitHub 安全公告(GHSA)** 是针对易受攻击的开源包与生态(如 npm、PyPI、Maven)的权威通告,通常关联 **CVE**。 使用搜索框查找 GHSA 或 CVE,按生态或严重度筛选,或在摘要中匹配短语。
| GHSA | CVE | 严重度 | 类型 | 摘要 | 公开时间 |
|---|---|---|---|---|---|
| GHSA-qfp7-j94c-gx97 | CVE-2026-11914 | unknown | unreviewed | vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*. | 2026-07-11 00:31:49 UTC |
| GHSA-m5f5-28qr-9g9r | CVE-2026-54159 | critical | reviewed | prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE | 2026-07-10 20:36:56 UTC |
| GHSA-qv4m-m73m-8hj7 | — | high | reviewed | NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file) | 2026-07-10 19:34:03 UTC |
| GHSA-pj8j-p4g4-4vw8 | CVE-2026-49865 | medium | reviewed | Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs | 2026-07-10 16:04:40 UTC |
| GHSA-pjhx-3c3w-9v23 | CVE-2026-49858 | medium | reviewed | API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate | 2026-07-10 14:32:01 UTC |
| GHSA-mr9r-h354-966r | CVE-2026-53639 | medium | reviewed | Sylius: IDOR on Shop Payment Request API endpoints | 2026-07-09 21:03:51 UTC |
| GHSA-6955-hrm5-c4qp | CVE-2026-53638 | medium | reviewed | Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint | 2026-07-09 21:03:46 UTC |
| GHSA-5597-7rmh-97q5 | CVE-2026-53637 | medium | reviewed | Sylius: Cart FormComponent allows modification or deletion of an already-completed order | 2026-07-09 21:03:41 UTC |
| GHSA-px5m-h76g-p7p8 | CVE-2026-52778 | critical | reviewed | YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service | 2026-07-09 21:03:04 UTC |
| GHSA-9369-69wj-7m2f | CVE-2026-52777 | critical | reviewed | YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize | 2026-07-09 21:02:58 UTC |
| GHSA-4pf7-cc4r-g63h | CVE-2026-52775 | high | reviewed | YesWiki has Authenticated SQL Injection via ReactionManager | 2026-07-09 21:02:40 UTC |
| GHSA-r5xw-gcgw-hwp5 | CVE-2026-52774 | medium | reviewed | YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes | 2026-07-09 21:01:10 UTC |
| GHSA-35f3-pg38-486f | CVE-2026-52773 | medium | reviewed | YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php` | 2026-07-09 21:00:55 UTC |
| GHSA-xc7j-3g8q-9vh4 | CVE-2026-52772 | medium | reviewed | YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html')) | 2026-07-09 21:00:33 UTC |
| GHSA-8f2v-2qhj-gfwg | CVE-2026-52771 | high | reviewed | YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`) | 2026-07-09 21:00:14 UTC |
| GHSA-qg78-vmvc-fhjw | CVE-2026-52770 | high | reviewed | YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters | 2026-07-09 21:00:05 UTC |
| GHSA-vw42-752g-5mrp | CVE-2026-52769 | high | reviewed | YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId` | 2026-07-09 20:58:33 UTC |
| GHSA-mv28-wj57-f57g | CVE-2026-52767 | high | reviewed | YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via `!openssl_verify(...)` accepting `int(-1)` | 2026-07-09 20:58:12 UTC |
| GHSA-6x7x-gcmf-7r8x | CVE-2026-52766 | critical | reviewed | YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action | 2026-07-09 20:57:25 UTC |
| GHSA-89v6-j5x6-cmj3 | CVE-2026-52763 | medium | reviewed | YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read | 2026-07-09 20:54:46 UTC |