diff --git a/gems/phlex/GHSA-w67g-2h6v-vjgq.yml b/gems/phlex/GHSA-w67g-2h6v-vjgq.yml
new file mode 100644
index 0000000000..fd4cc80009
--- /dev/null
+++ b/gems/phlex/GHSA-w67g-2h6v-vjgq.yml
@@ -0,0 +1,63 @@
+---
+gem: phlex
+ghsa: w67g-2h6v-vjgq
+url: https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq
+title: Phlex XSS protection bypass via attribute splatting,
+  dynamic tags, and href values
+date: 2026-02-06
+description: |
+  ### Impact
+
+  During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex,
+  we identified three specific ways to bypass the XSS (cross-site-scripting)
+  protection built into Phlex.
+
+  1. The first bypass could happen if user-provided attributes with
+     string keys were splatted into HTML tag, e.g. `div(**user_attributes)`.
+
+  2. The second bypass could happen if user-provided tag names were
+     passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`.
+
+  3. The third bypass could happen if user’s links were passed to
+     `href` attributes, e.g. `a(href: user_provided_link)`.
+
+  All three of these patterns are meant to be safe and all
+  have now been patched.
+
+  ### Patches
+
+  Phlex has patched all three issues and introduced new tests that
+  run against Safari, Firefox and Chrome.
+
+  The patched versions are:
+
+  - [2.4.1](https://rubygems.org/gems/phlex/versions/2.4.1)
+  - [2.3.2](https://rubygems.org/gems/phlex/versions/2.3.2)
+  - [2.2.2](https://rubygems.org/gems/phlex/versions/2.2.2)
+  - [2.1.3](https://rubygems.org/gems/phlex/versions/2.1.3)
+  - [2.0.2](https://rubygems.org/gems/phlex/versions/2.0.3)
+  - [1.11.1](https://rubygems.org/gems/phlex/versions/1.11.1)
+
+  Phlex has also patched the [`main`](https://github.com/yippee-fun/phlex)
+  branch in GitHub.
+
+  ### Workarounds
+  If a project uses a secure CSP (content security policy) or if the
+  application doesn’t use any of the above patterns, it is not at risk.
+cvss_v3: 7.1
+patched_versions:
+  - "~> 1.11.1"
+  - "~> 2.0.2"
+  - "~> 2.1.3"
+  - "~> 2.2.2"
+  - "~> 2.3.2"
+  - ">= 2.4.1"
+related:
+  url:
+    - https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq
+    - https://github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a
+    - https://github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee
+    - https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d
+    - https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac
+    - https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1
+    - https://github.com/advisories/GHSA-w67g-2h6v-vjgq