🚨 最新安全公告
- 🔴 GHSA-hgjx-r89m-m7v4 [critical] (2026-07-14)
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFile
- 🟠 GHSA-x9vc-9ffq-p3gj [high] (2026-07-14)
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode
- 🟠 GHSA-qf34-295c-26v8 [high] (2026-07-14)
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
- 🟠 GHSA-7rx3-5wx3-5v76 [high] (2026-07-14)
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via allow_private
- 🟠 GHSA-cm26-5974-52h8 [high] (2026-07-14)
nebula-mesh: Certificate revocation is never enforced at the mesh
- ⚪ GHSA-2cf7-hpwf-47h9 [medium] (2026-07-14)
n8n-MCP: Incorrect authorization can expose default-scope workflow version backups in multi-tenant HTTP mode
- ⚪ GHSA-g4x6-jcvr-9m3g [medium] (2026-07-14)
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens
- ⚪ GHSA-m3cx-mwpg-32jg [medium] (2026-07-14)
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting
- 🟠 GHSA-mf78-3rpf-r784 [high] (2026-07-14)
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode
- 🟠 GHSA-q4vm-pq3q-8wgq [high] (2026-07-14)
nebula-mesh: Operator session tokens stored in plaintext in the database
📡 数据来源: GitHub Security Advisories · 由 PingSec 安全日报自动生成