🚨 最新安全公告

• 🟠 GHSA-p9f5-h3rx-j5qw [high] (2026-06-22)

Gogs Missing Authorization in Attachment Download

详情

• 🟠 GHSA-jq8v-rmf6-65jw [high] (2026-06-22)

Gogs has Stored XSS in .ipynb Preview

详情

• 🟢 GHSA-4j89-2c4f-44c6 [low] (2026-06-22)

Gogs has DoS in rendering issue index pattern

详情

• ⚪ GHSA-xqjm-27pc-rvwm [medium] (2026-06-22)

@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields

详情

• 🟠 GHSA-gfq7-5x4g-3xhf [high] (2026-06-22)

@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation

详情

• 🔴 GHSA-w7mq-r738-x278 [critical] (2026-06-22)

Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload

详情

• 🟠 GHSA-rgvg-3wpc-h44p [high] (2026-06-22)

Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override

详情

• 🟠 GHSA-cq9c-6w48-qmfg [high] (2026-06-22)

@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens

详情

• 🟠 GHSA-35c4-rvc8-frhm [high] (2026-06-22)

Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed U

详情

• 🟠 GHSA-jj36-r9w3-3pfh [high] (2026-06-22)

Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials

详情

---

📡 数据来源: GitHub Security Advisories · 由 PingSec 安全日报自动生成