{"source":"ghsa-npm","note":"Free 5-item preview. The full feed is $0.05/call at GET /v1/ghsa-npm/changes.","question":"Which new GitHub security advisories affecting npm packages were published since T, and how severe are they?","sample":[{"source":"ghsa-npm","entityId":"ghsa:GHSA-g4w6-vmgf-xqvx","type":"advisory","title":"GHSA-g4w6-vmgf-xqvx / CVE-2026-49473: @cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation","summary":"HIGH severity. Affected: @cedar-policy/authorization-for-expressjs.","significance":9,"detectedAt":"2026-07-14T22:21:14.991Z","effectiveDate":"2026-06-30T18:09:13Z","sourceUrl":"https://github.com/advisories/GHSA-g4w6-vmgf-xqvx","detail":{"severity":"high","cve":"CVE-2026-49473","packages":"@cedar-policy/authorization-for-expressjs","cvss":8.8}},{"source":"ghsa-npm","entityId":"ghsa:GHSA-qcm7-3vpr-hj5h","type":"advisory","title":"GHSA-qcm7-3vpr-hj5h / CVE-2026-48795: @adonisjs/bodyparser has an incomplete fix for CVE-2026-25754","summary":"HIGH severity. Affected: @adonisjs/bodyparser, @adonisjs/bodyparser.","significance":9,"detectedAt":"2026-07-14T22:21:14.991Z","effectiveDate":"2026-06-30T18:34:32Z","sourceUrl":"https://github.com/advisories/GHSA-qcm7-3vpr-hj5h","detail":{"severity":"high","cve":"CVE-2026-48795","packages":"@adonisjs/bodyparser, @adonisjs/bodyparser","cvss":8.6}},{"source":"ghsa-npm","entityId":"ghsa:GHSA-c5r6-m4mr-8q5j","type":"advisory","title":"GHSA-c5r6-m4mr-8q5j / CVE-2026-49856: @jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization","summary":"MEDIUM severity. Affected: @jshookmcp/jshook.","significance":4,"detectedAt":"2026-07-14T22:21:14.991Z","effectiveDate":"2026-07-01T18:14:57Z","sourceUrl":"https://github.com/advisories/GHSA-c5r6-m4mr-8q5j","detail":{"severity":"medium","cve":"CVE-2026-49856","packages":"@jshookmcp/jshook","cvss":4.3}},{"source":"ghsa-npm","entityId":"ghsa:GHSA-pvrj-8cg3-j5f8","type":"advisory","title":"GHSA-pvrj-8cg3-j5f8 / CVE-2026-49857: auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback","summary":"HIGH severity. Affected: auth-fetch-mcp.","significance":7,"detectedAt":"2026-07-14T22:21:14.991Z","effectiveDate":"2026-07-01T18:16:22Z","sourceUrl":"https://github.com/advisories/GHSA-pvrj-8cg3-j5f8","detail":{"severity":"high","cve":"CVE-2026-49857","packages":"auth-fetch-mcp","cvss":7.4}},{"source":"ghsa-npm","entityId":"ghsa:GHSA-p26j-h7wj-r568","type":"advisory","title":"GHSA-p26j-h7wj-r568 / CVE-2026-49864: wetty vulnerable to DOM XSS via file-download filename","summary":"HIGH severity. Affected: wetty.","significance":7,"detectedAt":"2026-07-14T22:21:14.991Z","effectiveDate":"2026-07-01T18:19:39Z","sourceUrl":"https://github.com/advisories/GHSA-p26j-h7wj-r568","detail":{"severity":"high","cve":"CVE-2026-49864","packages":"wetty","cvss":null}}]}