🚨 最新安全公告

• ⚪ GHSA-ww5p-j6cj-6mqq [medium] (2026-06-26)

Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API

详情

• 🟠 GHSA-v23m-ccfg-pq9h [high] (2026-06-26)

pnpm: stage download writes outside its destination directory via manifest name/version traversal

详情

• ⚪ GHSA-4gxm-v5v7-fqc4 [medium] (2026-06-26)

pnpm: Reserved bin name deletes PNPM_HOME during global remove

详情

• 🟠 GHSA-w466-c33r-3gjp [high] (2026-06-26)

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes

详情

• 🟠 GHSA-hmgp-w9jm-vp95 [high] (2026-06-26)

Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

详情

• 🟠 GHSA-2fp4-5v5c-4448 [high] (2026-06-26)

gonic: Path Traversal in playlist id bypasses ownership check, enabling any user to read/delete other users' playlists

详情

• 🟠 GHSA-4gxv-p5g5-j7w7 [high] (2026-06-26)

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-cont

详情

• 🟠 GHSA-gj8w-mvpf-x27x [high] (2026-06-26)

pnpm: Repository-controlled configDependencies can select a pacquet native install engine

详情

• 🟠 GHSA-5wx6-mg75-v57r [high] (2026-06-26)

pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle

详情

• ⚪ GHSA-3qhv-2rgh-x77r [medium] (2026-06-26)

pnpm: Repository config can expand victim environment secrets into registry requests before scripts run

详情

---

📡 数据来源: GitHub Security Advisories · 由 PingSec 安全日报自动生成