diff --git a/gems/crass/GHSA-6jxj-px6v-747w.yml b/gems/crass/GHSA-6jxj-px6v-747w.yml
new file mode 100644
index 0000000000..35589af4bd
--- /dev/null
+++ b/gems/crass/GHSA-6jxj-px6v-747w.yml
@@ -0,0 +1,25 @@
+---
+gem: crass
+ghsa: 6jxj-px6v-747w
+url: https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
+title: Deeply nested CSS blocks and functions can trigger a
+  SystemStackError or excessive memory usage
+date: 2026-06-25
+description: |
+  ## Impact
+
+  Crass recursively parses CSS simple blocks and functions without a
+  depth guard. An attacker-controlled value containing many deeply
+  nested blocks can recurse until Ruby raises SystemStackError:
+  stack level too deep, or can cause excessive memory usage.
+cvss_v4: 6.3
+patched_versions:
+  - ">= 1.0.7"
+related:
+  url:
+    - https://rubygems.org/gems/crass/versions/1.0.7
+    - https://github.com/rgrove/crass/releases/tag/v1.0.7
+    - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
+    - https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
+notes: |
+  - No CVE, but published so no non-GHSA cvss values.
diff --git a/gems/crass/GHSA-6wmf-3r64-vcwv.yml b/gems/crass/GHSA-6wmf-3r64-vcwv.yml
new file mode 100644
index 0000000000..6c46057dc0
--- /dev/null
+++ b/gems/crass/GHSA-6wmf-3r64-vcwv.yml
@@ -0,0 +1,27 @@
+---
+gem: crass
+ghsa: 6wmf-3r64-vcwv
+url: https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
+title: Large numeric exponents cause CPU and memory denial of service
+date: 2026-06-25
+description: |
+  ## Impact
+
+  Crass converts CSS scientific notation number values with unbounded
+  exponentiation before it clamps the result to Float::MAX. Applications
+  that use Crass to parse attacker-controlled CSS strings can be forced
+  to spend disproportionate CPU and memory parsing a tiny input,
+  possibly resulting in a crash.
+
+  Exponents are now bounded before 10**exponent is computed.
+cvss_v4: 8.9
+patched_versions:
+  - ">= 1.0.7"
+related:
+  url:
+    - https://rubygems.org/gems/crass/versions/1.0.7
+    - https://github.com/rgrove/crass/releases/tag/v1.0.7
+    - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
+    - https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
+notes: |
+  - No CVE, but published so no non-GHSA cvss values.
diff --git a/gems/crass/GHSA-8vfg-2r28-hvhj.yml b/gems/crass/GHSA-8vfg-2r28-hvhj.yml
new file mode 100644
index 0000000000..7a16249c11
--- /dev/null
+++ b/gems/crass/GHSA-8vfg-2r28-hvhj.yml
@@ -0,0 +1,25 @@
+---
+gem: crass
+ghsa: 8vfg-2r28-hvhj
+url: https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
+title: A large number of adjacent CSS comments can trigger a SystemStackError
+date: 2026-06-25
+description: |
+  ## Impact
+
+  When parsing an input containing non-ASCII characters, inefficiencies
+  in how Crass tracks the positions of multi-byte characters result
+  in superlinear parsing time. An attacker-controlled input consisting
+  of many non-ASCII characters could cause excessive CPU consumption
+  and potentially denial of service.
+cvss_v4: 6.3
+patched_versions:
+  - ">= 1.0.7"
+related:
+  url:
+    - https://rubygems.org/gems/crass/versions/1.0.7
+    - https://github.com/rgrove/crass/releases/tag/v1.0.7
+    - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
+    - https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
+notes: |
+  - No CVE, but published so no non-GHSA cvss values.
diff --git a/gems/crass/GHSA-wwpr-jff3-395c.yml b/gems/crass/GHSA-wwpr-jff3-395c.yml
new file mode 100644
index 0000000000..06d0820417
--- /dev/null
+++ b/gems/crass/GHSA-wwpr-jff3-395c.yml
@@ -0,0 +1,26 @@
+---
+gem: crass
+ghsa: wwpr-jff3-395c
+url: https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
+title: A large number of adjacent CSS comments can trigger a
+  SystemStackError
+date: 2026-06-25
+description: |
+  ## Impact
+
+  When the :preserve_comments option is not enabled (which is the
+  default behavior), Crass discards CSS comments by recursively
+  consuming the next token. An attacker who provides a stylesheet
+  containing a very large number of adjacent comments can cause
+  excessive recursion and trigger a SystemStackError.
+cvss_v4: 6.3
+patched_versions:
+  - ">= 1.0.7"
+related:
+  url:
+    - https://rubygems.org/gems/crass/versions/1.0.7
+    - https://github.com/rgrove/crass/releases/tag/v1.0.7
+    - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
+    - https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
+notes: |
+  - No CVE, but published so no non-GHSA cvss values.