**GitHub 安全公告(GHSA)** 是針對易受攻擊的開源套件與生態(如 npm、PyPI、Maven)的權威通告,通常關聯 **CVE**。 使用搜尋框尋找 GHSA 或 CVE,依生態或嚴重度篩選,或在摘要中比對片語。
| GHSA | CVE | 嚴重度 | 類型 | 摘要 | 公開時間 |
|---|---|---|---|---|---|
| GHSA-54hh-g5mx-jqcp | CVE-2026-50573 | medium | reviewed | pnpm: Unsafe default behavior breaks integrity check | 2026-06-26 22:52:33 UTC |
| GHSA-8jgf-23q5-x7xx | — | high | reviewed | ex_aws_sns: Trusted-attacker `SigningCertURL` permits complete SNS signature bypass | 2026-06-26 22:50:27 UTC |
| GHSA-m34p-749j-x6m6 | CVE-2026-50029 | medium | reviewed | js-toml has silent type confusion via falsy-primitive duplicate-key bypass | 2026-06-26 22:49:28 UTC |
| GHSA-qvqc-4c52-x6qp | CVE-2026-49349 | medium | reviewed | regclient may leak authentication credentials to external blob stores | 2026-06-26 22:43:31 UTC |
| GHSA-j748-h363-wqj8 | CVE-2026-48794 | low | reviewed | Authelia has an Edge Case Access Control Rule Mismatch | 2026-06-26 22:32:21 UTC |
| GHSA-q6xx-5vr8-p898 | — | critical | reviewed | Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check | 2026-06-26 22:31:41 UTC |
| GHSA-wcr3-9x4c-f5gj | — | high | reviewed | Blnk has an API key authorization bypass in owner and scope enforcement | 2026-06-26 22:31:03 UTC |
| GHSA-pxcc-8665-phx8 | CVE-2026-49342 | medium | reviewed | YARD static cache reads raw traversal paths before router sanitization | 2026-06-26 22:29:29 UTC |
| GHSA-396q-4vc8-28x9 | CVE-2026-49336 | medium | reviewed | @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter | 2026-06-26 22:23:11 UTC |
| GHSA-wp3c-266w-4qfq | CVE-2026-49293 | high | reviewed | js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals | 2026-06-26 22:21:43 UTC |
| GHSA-7vfx-4246-jcfh | — | high | reviewed | SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings | 2026-06-26 22:20:50 UTC |
| GHSA-m92m-r54r-x8r2 | CVE-2026-49287 | high | reviewed | Statamic CMS's unsafe method invocation via collection sorting allows data destruction | 2026-06-26 22:15:47 UTC |
| GHSA-2497-6pwj-pwg7 | CVE-2026-49288 | medium | reviewed | Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources | 2026-06-26 22:12:21 UTC |
| GHSA-x8g9-h984-pc36 | CVE-2026-49359 | medium | reviewed | PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option | 2026-06-26 22:11:40 UTC |
| GHSA-5g9f-cwwg-4p8g | CVE-2026-49358 | low | reviewed | PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles | 2026-06-26 22:10:51 UTC |
| GHSA-2fmj-p74r-3wjm | CVE-2026-49286 | high | reviewed | PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) | 2026-06-26 22:10:00 UTC |
| GHSA-9653-rcfr-5c62 | CVE-2026-47067 | high | reviewed | Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes | 2026-06-26 22:01:36 UTC |
| GHSA-q8jg-fgj4-fphf | CVE-2026-47073 | high | reviewed | Hackney has unbounded buffer accumulation in WebSocket | 2026-06-26 22:00:16 UTC |
| GHSA-f9vr-g2g2-x9fg | CVE-2026-47072 | medium | reviewed | Hackney has CRLF / header injection in WebSocket upgrade request | 2026-06-26 21:59:44 UTC |
| GHSA-j9wq-vxxc-94wf | CVE-2026-47075 | medium | reviewed | Hackney has CR/LF injection in query parameter | 2026-06-26 21:58:59 UTC |