GHSA-G2XH-C426-V8MF

creationtimestamp| type| source ---|---|--- 2026-05-21 00:45:42+00:00| seen| https://gist.github.com/FuzzysTodd/4e10f5b327d09a37dc02a2a08f442f94...

PT-2026-42815

Name of the Vulnerable Software and Affected Versions wasmtime-wasi affected versions not specified Description An access control mechanism bypass exists when a filesystem preopen is configured with DirPerms::all and FilePerms::READ without FilePerms::WRITE. This allows bypassing restrictions by...

CVE-2026-46705

creationtimestamp| type| source ---|---|--- 2026-05-20 22:48:47+00:00| published-proof-of-concept| https://github.com/Eugeny/russh/security/advisories/GHSA-hpv4-5h6f-wqr3 2026-06-10 23:00:19+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnxsulhtsc2f...

GHSA-J989-FGGP-QGP5 vulnerabilities

Vulnerabilities for packages: python...

GHSA-C9J4-9M59-847W

creationtimestamp| type| source ---|---|--- 2026-05-20 19:07:38+00:00| seen| https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/ 2026-05-21 10:45:20+00:00| seen| https://bsky.app/profile/tech-trending.bsky.social/post/3mmeahvo27p2m 2026-05-21...

GO-2026-4991 Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change in github.com/daptin/daptin

Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change in github.com/daptin/daptin...

GO-2026-4988 DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header in github.com/l3montree-dev/devguard

DevGuard has an unauthenticated identity assertion via X-Admin-Token header in github.com/l3montree-dev/devguard...

GO-2026-4953 goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs

goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs...

GO-2026-5009 Kopia: RCE via SSH ProxyCommand Injection in github.com/kopia/kopia

Kopia: RCE via SSH ProxyCommand Injection in github.com/kopia/kopia...

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

In this article 1. Attack chain overview 1. Technical analysis 2. How GitHub took action to prevent further harm 2. Mitigation and protection guidance 1. Microsoft Defender XDR Detections 2. Microsoft Defender XDR Threat analytics 3. Advanced hunting 4. Indicators of Compromise IOC 3. References ...

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

In this article 1. Attack chain overview 1. Technical analysis 2. How GitHub took action to prevent further harm 2. Mitigation and protection guidance 1. Microsoft Defender XDR Detections 2. Microsoft Defender XDR Threat analytics 3. Advanced hunting 4. Indicators of Compromise IOC 3. References ...

GHSA-XX55-4RRG-8XG6

creationtimestamp| type| source ---|---|--- 2026-05-20 16:56:46+00:00| seen| https://bsky.app/profile/Whiskeyomega.cupoftea.social.ap.brid.gy/post/3mmceqyeaiq72...

CVE-2026-48061

creationtimestamp| type| source ---|---|--- 2026-05-20 16:46:22+00:00| published-proof-of-concept| https://github.com/litestar-org/litestar/security/advisories/GHSA-3qmc-cj7q-62hv...

CVE-2026-26028

creationtimestamp| type| source ---|---|--- 2026-05-20 15:52:46+00:00| published-proof-of-concept| https://github.com/cryptpad/cryptpad/security/advisories/GHSA-g2g4-47gv-p72v...

CVE-2026-35672

creationtimestamp| type| source ---|---|--- 2026-05-20 15:46:42+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-gp95-j463-vv28...

CVE-2026-35671

creationtimestamp| type| source ---|---|--- 2026-05-20 15:46:17+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-xvp4-phqj-cjr3...

CVE-2026-35676

creationtimestamp| type| source ---|---|--- 2026-05-20 15:45:53+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-9qv9-8xv6-5p35 2026-05-28 17:34:05+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmwklaw3se2c...

Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions

Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example tools: composer:2.9.7. Workflows using the default Composer version, composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have...

GHSA-5WXR-W449-57CM Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions

Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example tools: composer:2.9.7. Workflows using the default Composer version, composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have...

GHSA-PQWM-Q9PV-PH8R Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...