Skip to content
Sebastion public security findings.Browse the research
FoundationMachines
Findings

Audit findings.

Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.

1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.

Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.

Medium

50 on this page
marktext/marktext
Arbitrary local file/application opening via crafted markdown links
CWE-601src/main/menu/actions/file.js
2026-04-23
twentyhq/twenty
XSS via APPLICATION_ID in server-rendered HTML page
CWE-79packages/twenty-apps/community/apollo-enrich/src/logic-functions/get-verify-page.ts
2026-04-23
twentyhq/twenty
Command injection via tarball path in downloadExample
CWE-78packages/create-twenty-app/src/utils/download-example.ts
2026-04-23
twentyhq/twenty
Fireflies webhook signature verification uses non-constant-time comparison
CWE-347packages/twenty-apps/community/fireflies/src/webhook-validator.ts
2026-04-23
zhayujie/CowAgent
Directory listing of arbitrary paths via ls tool
CWE-22agent/tools/ls/ls.py
2026-04-23
unslothai/unsloth
User-controlled MCP stdio command execution via recipe payload
CWE-78studio/backend/core/data_recipe/service.py
2026-04-21
anomalyco/opencode
Open redirect via `continue` query parameter in OAuth authorize endpoint
CWE-601packages/console/app/src/routes/auth/authorize.ts
2026-04-20
microsoft/markitdown
SSRF via MCP tool convert_to_markdown
CWE-918packages/markitdown-mcp/src/markitdown_mcp/__main__.py
2026-04-20
yangshun/tech-interview-handbook
Resume delete has no ownership check - any authenticated user can delete any resume
CWE-862apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
2026-04-20
yangshun/tech-interview-handbook
Unrestricted file upload - no authentication, file type, or size validation
CWE-434apps/portal/src/pages/api/file-storage.ts
2026-04-20
yangshun/tech-interview-handbook
Resume resolve mutation has no ownership check
CWE-862apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
2026-04-20
AstrBotDevs/AstrBot
Path traversal in backup importer attachment restoration
CWE-22astrbot/core/backup/importer.py
2026-04-19
AstrBotDevs/AstrBot
Path traversal in backup importer directory extraction
CWE-22astrbot/core/backup/importer.py
2026-04-19
devnen/Chatterbox-TTS-Server
Path traversal in file upload endpoint
CWE-22server.py
2026-04-18
devnen/Chatterbox-TTS-Server
Path traversal via voice parameter in OpenAI-compatible /v1/audio/speech endpoint
CWE-22server.py
2026-04-18
hsliuping/TradingAgents-CN
MONGO_URI injection into subprocess command (mongodump)
CWE-78app/services/database/backups.py
2026-04-15
hsliuping/TradingAgents-CN
Passwords hashed with unsalted SHA-256 instead of bcrypt
CWE-916app/services/user_service.py
2026-04-15
hsliuping/TradingAgents-CN
Hardcoded default JWT secret allows token forgery
CWE-1188app/core/config.py
2026-04-15
hsliuping/TradingAgents-CN
Missing authentication on multiple internal message endpoints
CWE-862app/routers/internal_messages.py
2026-04-15
hsliuping/TradingAgents-CN
Missing authentication on social media endpoints allows unauthenticated data injection and exfiltration
CWE-862app/routers/social_media.py
2026-04-15
hsliuping/TradingAgents-CN
Missing authentication on historical data, financial data sync, and multi-period sync endpoints
CWE-862app/routers/historical_data.py
2026-04-15
hsliuping/TradingAgents-CN
Missing authentication on /api/config/validate endpoint
CWE-862app/routers/system_config.py
2026-04-15
hsliuping/TradingAgents-CN
Missing authentication on multi-source sync and stock sync endpoints allowing unauthenticated data source enumeration and sync triggering
CWE-862app/routers/multi_source_sync.py
2026-04-15
letta-ai/letta
Code injection via run_code / run_code_with_tools built-in tools executing agent-controlled code
CWE-94letta/services/tool_executor/builtin_tool_executor.py
2026-04-14
letta-ai/letta
Code injection through unsanitized tool arguments in generated execution script
CWE-94letta/services/tool_sandbox/base.py
2026-04-14
letta-ai/letta
Unsafe eval in coerce_dict_args_by_annotations with allow_unsafe_eval=True
CWE-94letta/services/tool_sandbox/base.py
2026-04-14
emcie-co/parlant
Arbitrary local file read via OpenAPI source file path
CWE-22src/parlant/core/services/tools/service_registry.py
2026-04-12
emcie-co/parlant
NoSQL/Query injection via unvalidated filter keys in Snowflake adapter
CWE-89src/parlant/adapters/db/snowflake_db.py
2026-04-12
emcie-co/parlant
Code injection via ast.literal_eval on untrusted tool arguments
CWE-95src/parlant/core/services/tools/mcp_service.py
2026-04-12
a-bonus/google-docs-mcp
HTTP Response Header Injection via filename in Content-Disposition
CWE-93src/downloadProxy.ts
2026-04-10
a-bonus/google-docs-mcp
Path traversal in downloadFile stdio mode via Google Drive file name
CWE-22src/tools/drive/downloadFile.ts
2026-04-10
a-bonus/google-docs-mcp
Drive API query injection via insufficiently escaped user input in search/list tools
CWE-943src/driveQueryUtils.ts
2026-04-10
duriantaco/skylos
Unsafe dynamic dispatch via getattr on user-controlled method name
CWE-470app.py
2026-04-10
duriantaco/skylos
Shell command execution with user-controlled test command
CWE-78skylos/llm/executor.py
2026-04-10
duriantaco/skylos
Arbitrary pip install via _pip_install_to_temp with package name from project analysis
CWE-78skylos/llm/verify_orchestrator.py
2026-04-10
duriantaco/skylos
CORS wildcard (*) allows cross-origin requests to Agent Service API
CWE-352skylos/agent_service.py
2026-04-10
duriantaco/skylos
LLM-generated code written directly to disk and executed via test runner
CWE-94skylos/llm/cleanup_orchestrator.py
2026-04-10
duriantaco/skylos
VSCode extension executes user-configurable postFixCommand via shell
CWE-78editors/vscode/src/ai.ts
2026-04-10
duriantaco/skylos
Cross-Site Scripting (XSS) in VSCode webview via unsanitized finding data
CWE-79editors/vscode/src/dashboard.ts
2026-04-10
duriantaco/skylos
XSS in chat webview via markdown rendering of LLM responses
CWE-79editors/vscode/src/chatview.ts
2026-04-10
mapbox/mcp-server
SSRF via custom-marker overlay URL in StaticMapImageTool
CWE-918src/tools/static-map-image-tool/StaticMapImageTool.ts
2026-04-10
mapbox/mcp-server
Access token leaked in MCP UI iframe URL
CWE-200src/tools/static-map-image-tool/StaticMapImageTool.ts
2026-04-10
microsoft/RD-Agent
Unauthenticated message injection via /receive endpoint
CWE-306rdagent/log/server/app.py
2026-04-10
microsoft/RD-Agent
Path traversal in /stdout endpoint despite partial mitigation
CWE-22rdagent/log/server/app.py
2026-04-10
microsoft/RD-Agent
Unauthenticated process termination via /control endpoint
CWE-306rdagent/log/server/app.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization in cache_with_pickle decorator
CWE-502rdagent/core/utils.py
2026-04-10
microsoft/RD-Agent
Shell command injection via CI/run.py subprocess calls with user-controlled directory
CWE-78rdagent/app/CI/run.py
2026-04-10
microsoft/RD-Agent
Symlink traversal in workspace checkpoint restore (recover_ws_ckp)
CWE-22rdagent/core/experiment.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization in Docker env cached_run
CWE-502rdagent/utils/env.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization in dump_python_code_run_and_get_results
CWE-502rdagent/utils/env.py
2026-04-10