CVE-2026-54174 [HIGH 8.3] depth=twilight score=46 — melange: Incomplete package integrity verification allows data section substitution GHSA-g936-7jqj-mwv8 [CRITICAL 9] depth=midnight score=50 — TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation CVE-2026-54159 [CRITICAL 10] depth=midnight score=55 — prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE CVE-2026-50551 [CRITICAL 9.9] depth=midnight score=55 epss=0% — SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content CVE-2026-54163 [MEDIUM 4.7] depth=sunlit score=26 — Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input GHSA-h4g2-xfmw-q2c9 [HIGH] depth=twilight score=41 — Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset CVE-2026-54171 [MEDIUM 6.5] depth=sunlit score=36 — Excon does not redact additional sensitive/risky headers when following redirects CVE-2026-54066 [HIGH 7.5] depth=twilight score=42 epss=2% — SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894 CVE-2026-54067 [CRITICAL 9.9] depth=midnight score=55 epss=0% — SiYuan: Stored XSS to RCE via CSS-snippet