🚨 最新安全公告

• 🟠 GHSA-qrv3-253h-g69c [high] (2026-06-27)

pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config

详情

• 🟠 GHSA-72r4-9c5j-mj57 [high] (2026-06-27)

pnpm: patch-remove could delete project-selected files outside the patches directory

详情

• 🟠 GHSA-fr4h-3cph-29xv [high] (2026-06-27)

pnpm: Hoisted install imports lockfile alias outside node_modules

详情

• ⚪ GHSA-ww5p-j6cj-6mqq [medium] (2026-06-26)

Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API

详情

• 🟠 GHSA-v23m-ccfg-pq9h [high] (2026-06-26)

pnpm: stage download writes outside its destination directory via manifest name/version traversal

详情

• ⚪ GHSA-4gxm-v5v7-fqc4 [medium] (2026-06-26)

pnpm: Reserved bin name deletes PNPM_HOME during global remove

详情

• 🟠 GHSA-w466-c33r-3gjp [high] (2026-06-26)

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes

详情

• 🟠 GHSA-hmgp-w9jm-vp95 [high] (2026-06-26)

Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

详情

• 🟠 GHSA-2fp4-5v5c-4448 [high] (2026-06-26)

gonic: Path Traversal in playlist id bypasses ownership check, enabling any user to read/delete other users' playlists

详情

• 🟠 GHSA-4gxv-p5g5-j7w7 [high] (2026-06-26)

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-cont

详情

---

📡 数据来源: GitHub Security Advisories · 由 PingSec 安全日报自动生成