Security patch:
GHSA-rfh7-fxqc-q52v: @angular/platform-server: SSRF via Hostname Hijacking
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Update:
GHSA-3h23-rrpc-3p87: Caddy Defender trusted proxy client IP bypass
Why it matters → pkg.jsn.cam/caddy-defender released an update. Review the changelog for relevant changes.
Who should care → Teams using pkg.jsn.cam/caddy-defender.
Breaking change:
GHSA-6xwp-cp5h-q856: Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
Why it matters → Apps using @beproduct/nestjs-auth will need code changes before upgrading. Review the release notes before bumping versions.
Who should care → Engineers depending on @beproduct/nestjs-auth.
Update:
GHSA-3jmg-p96m-m328: FileBrowser Quantum: unauthenticated user share share info
Why it matters → github.com/gtsteffaniak/filebrowser released an update. Review the changelog for relevant changes.
Who should care → Teams using github.com/gtsteffaniak/filebrowser.
New capability:
GHSA-7hgr-7h44-33w2: CamoFox MCP: Unauthenticated HTTP MCP browser-control surface
Why it matters → New functionality is available in camofox-mcp. May enable simpler implementations or replace external dependencies.
Who should care → Teams already using camofox-mcp or evaluating it.
Update:
GHSA-73jc-5mrq-prw7: SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser
Why it matters → sqlfluff released an update. Review the changelog for relevant changes.
Who should care → Teams using sqlfluff.
Update:
GHSA-wmhf-fqc8-vxhh: SQLFluff: Recursive Stack Overflow in Parser
Why it matters → sqlfluff released an update. Review the changelog for relevant changes.
Who should care → Teams using sqlfluff.
Security patch:
GHSA-qg89-qwwh-5f3j: SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Update:
GHSA-m6xr-fvfg-5g64: Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal
Why it matters → github.com/tomwright/dasel/v3 released an update. Review the changelog for relevant changes.
Who should care → Teams using github.com/tomwright/dasel/v3.
Update:
GHSA-m5j3-4634-c2vq: Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string
Why it matters → github.com/tomwright/dasel/v3 released an update. Review the changelog for relevant changes.
Who should care → Teams using github.com/tomwright/dasel/v3.
Security patch:
GHSA-32mq-hpph-xfvr: @libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Update:
GHSA-6x44-w3xg-hqqf: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
Why it matters → github.com/coder/coder released an update. Review the changelog for relevant changes.
Who should care → Teams using github.com/coder/coder.
Security patch:
GHSA-g8wj-3cr3-6w7v: Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache…
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Security patch:
GHSA-62q4-447f-wv8h: Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite…
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
New capability:
GHSA-22qr-rp27-j9wm: PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
Why it matters → New functionality is available in @penpot/mcp. May enable simpler implementations or replace external dependencies.
Who should care → Teams already using @penpot/mcp or evaluating it.
Security patch:
GHSA-2mgw-7q6p-8grg: FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Breaking change:
GHSA-7xpr-hc2w-34m9: Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding…
Why it matters → Apps using com.squareup.wire:wire-runtime will need code changes before upgrading. Review the release notes before bumping versions.
Who should care → Engineers depending on com.squareup.wire:wire-runtime.
Update:
GHSA-686c-7vgv-v3fx: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint
Why it matters → github.com/coder/coder released an update. Review the changelog for relevant changes.
Who should care → Teams using github.com/coder/coder.
Update:
GHSA-9r33-xhw8-4qqp: HAX CMS: Denial of Service using Malicious Import Request
Why it matters → @haxtheweb/haxcms-nodejs released an update. Review the changelog for relevant changes.
Who should care → Teams using @haxtheweb/haxcms-nodejs.
Update:
GHSA-5qwm-7pvp-w988: OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory…
Why it matters → openmcdf released an update. Review the changelog for relevant changes.
Who should care → Teams using openmcdf.
Update:
GHSA-phqj-4mhp-q6mq: rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for…
Why it matters → openssl released an update. Review the changelog for relevant changes.
Who should care → Teams using openssl.
Update:
GHSA-hcf7-66rw-9f5r: Trubo: Login callback CSRF/session fixation
Why it matters → turbo released an update. Review the changelog for relevant changes.
Who should care → Teams using turbo.
Update:
GHSA-3qcw-2rhx-2726: Turbo: Unexpected local code execution during Yarn Berry detection
Why it matters → @turbo/workspaces released an update. Review the changelog for relevant changes.
Who should care → Teams using @turbo/workspaces.
Update:
GHSA-g53w-w6mj-hrpp: MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin…
Why it matters → github.com/kuadrant/mcp-gateway released an update. Review the changelog for relevant changes.
Who should care → Teams using github.com/kuadrant/mcp-gateway.
Security patch:
GHSA-m9p2-fxp5-v3fp: Diesel: Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Security patch:
GHSA-crc3-h8v6-qh57: GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Security patch:
GHSA-gx7w-56w6-g48x: Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Security patch:
GHSA-wwhq-w58m-w29c: Caddy CVE-2026-30852 Fix Bypass
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
Security patch:
GHSA-m23h-6mwm-39m8: Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways…
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
