🚨 最新安全公告
- ⚪ GHSA-vmfc-9982-2m45 [medium] (2026-07-07)
Weblate SSRF: outbound URL guard misses some private ranges
- ⚪ GHSA-2jcc-mxv7-p3f9 [medium] (2026-07-07)
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)
- ⚪ GHSA-6w3m-4hhp-775q [medium] (2026-07-07)
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping
- ⚪ GHSA-f66q-9rf6-8795 [medium] (2026-07-07)
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion
- 🟠 GHSA-4g5x-hcwm-82jw [high] (2026-07-07)
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
- 🔴 GHSA-26rh-24rg-j3vv [critical] (2026-07-07)
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
- ⚪ GHSA-q855-8rh5-jfgq [medium] (2026-07-07)
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
- 🟢 GHSA-cwv4-h3j5-w3cf [low] (2026-07-07)
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
- ⚪ GHSA-v3q9-hj7j-63hq [medium] (2026-07-07)
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
- ⚪ GHSA-gvhc-wv3v-7pf8 [medium] (2026-07-07)
Kite has an authenticated cluster RBAC bypass in /api/v1/overview
📡 数据来源: GitHub Security Advisories · 由 PingSec 安全日报自动生成