Skip to content
Sebastion public security findings.Browse the research
FoundationMachines
Findings

Audit findings.

Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.

1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.

Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.

Medium

50 on this page
microsoft/RD-Agent
Unsafe pickle deserialization in KnowledgeBase.load via dill
CWE-502rdagent/core/knowledge_base.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization in get_summary_df via pd.read_pickle
CWE-502rdagent/log/ui/utils.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization in CoSTEER knowledge base loading
CWE-502rdagent/components/coder/CoSTEER/knowledge_management.py
2026-04-10
resend/resend-mcp
SSRF via send-email attachment URL parameter
CWE-918src/tools/emails.ts
2026-04-10
resend/resend-mcp
HTML injection in email body via MCP tool call parameters
CWE-79src/tools/emails.ts
2026-04-10
resend/resend-mcp
API key exposure via HTTP transport passthrough — client-supplied Bearer token used as Resend API key
CWE-200src/transports/http.ts
2026-04-10
NVIDIA-AI-Blueprints/rag
Milvus filter expression injection via collection_name in multiple database operations
CWE-89src/nvidia_rag/utils/vdb/milvus/milvus_vdb.py
2026-04-07
NVIDIA-AI-Blueprints/rag
Milvus filter expression injection via document source_value in delete_documents
CWE-89src/nvidia_rag/utils/vdb/milvus/milvus_vdb.py
2026-04-07
NVIDIA-AI-Blueprints/rag
Path traversal in MCP server file upload tools
CWE-22examples/nvidia_rag_mcp/mcp_server.py
2026-04-07
NVIDIA-AI-Blueprints/rag
SSRF via user-controlled endpoint URLs in RAG/Ingestor API
CWE-918src/nvidia_rag/rag_server/server.py
2026-04-07
NVIDIA-AI-Blueprints/rag
Path traversal via user-controlled output_directory in nvingest save_to_disk
CWE-22src/nvidia_rag/ingestor_server/nvingest.py
2026-04-07
NVIDIA-AI-Blueprints/rag
Prompt injection via VLM template format string with user-controlled context/question
CWE-94src/nvidia_rag/rag_server/vlm.py
2026-04-07
Softeria/ms-365-mcp-server
HTTP header injection via tool parameters mapped to Header type
CWE-74src/graph-tools.ts
2026-04-07
Softeria/ms-365-mcp-server
Open redirect via redirect_uri parameter forwarded to Microsoft OAuth
CWE-601src/server.ts
2026-04-07
Softeria/ms-365-mcp-server
Path traversal via MS365_MCP_TOKEN_CACHE_PATH and MS365_MCP_SELECTED_ACCOUNT_PATH environment variables
CWE-22src/auth.ts
2026-04-07
Softeria/ms-365-mcp-server
Unsupported grant_type error response reflects user input enabling information probing
CWE-200src/server.ts
2026-04-07
Softeria/ms-365-mcp-server
Sensitive token and secret values logged to file
CWE-532src/auth.ts
2026-04-07
ihor-sokoliuk/mcp-searxng
Server-Side Request Forgery (SSRF) via web_url_read tool when not in hardened mode
CWE-918src/url-reader.ts
2026-04-07
ihor-sokoliuk/mcp-searxng
SSRF via DNS rebinding bypasses IP-based private URL checks
CWE-918src/url-reader.ts
2026-04-07
ihor-sokoliuk/mcp-searxng
HTTP transport has no authentication by default, allowing unauthorized tool execution
CWE-1390src/http-server.ts
2026-04-07
line/line-bot-mcp-server
Path traversal via SERVER_PATH environment variable in rich menu template loading
CWE-22src/tools/createRichMenu.ts
2026-04-07
microsoft/mcp-gateway
Environment variable passthrough leaks secrets to spawned child process
CWE-78sample-servers/mcp-proxy/src/main.py
2026-04-07
microsoft/mcp-gateway
Insufficient command validation allows arbitrary binary execution via MCP_COMMAND
CWE-78sample-servers/mcp-proxy/src/main.py
2026-04-07
smithery-ai/cli
OS command injection via client process name in process management utilities
CWE-78src/utils/client.ts
2026-04-07
smithery-ai/cli
Arbitrary code execution via bundle manifest command injection
CWE-94src/lib/mcpb.ts
2026-04-07
smithery-ai/cli
Command injection via unsanitized server name in `execFileSync` for command-based clients
CWE-78src/lib/client-config-io.ts
2026-04-07
tonykipkemboi/ollama_pdf_rag
Path traversal in file deletion via stored filename path
CWE-22src/api/services/pdf_service.py
2026-04-07
tonykipkemboi/ollama_pdf_rag
SSRF / arbitrary model selection in RAG query endpoint
CWE-918src/api/routers/query.py
2026-04-07
FunnyWolf/agentic-soc-platform
SSRF via LLM-controlled IOC values passed to AlienVaultOTX API
CWE-918PLUGINS/AlienVaultOTX/alienvaultotx.py
2026-04-06
FunnyWolf/agentic-soc-platform
Raw alert data from Redis stored unvalidated into raw_data field and passed to LLM
CWE-502MODULES/NDR-Rule-05-Suspect-C2-Communication.py
2026-04-06
FunnyWolf/agentic-soc-platform
Indirect Prompt Injection via alert/case data flowing into LLM agent context
CWE-94PLAYBOOKS/CASE/Threat_Hunting_Agent.py
2026-04-06
FunnyWolf/agentic-soc-platform
Unhandled exception details leaked to HTTP response via views_except_handler
CWE-200Lib/customexception.py
2026-04-06
SalesforceAIResearch/MCP-Universe
IDOR on benchmark job retrieval - any authenticated user can view any job
CWE-863mcpuniverse/app/api/job.py
2026-04-06
SalesforceAIResearch/MCP-Universe
Jinja2 SSTI in task question template rendering
CWE-1336mcpuniverse/benchmark/task.py
2026-04-06
SalesforceAIResearch/MCP-Universe
Jinja2 SSTI in EvaluatorConfig.set_environ_variables
CWE-1336mcpuniverse/evaluator/evaluator.py
2026-04-06
SalesforceAIResearch/MCP-Universe
Environment variable leakage via Jinja2 template rendering with full os.environ
CWE-200mcpuniverse/evaluator/evaluator.py
2026-04-06
SalesforceAIResearch/MCP-Universe
Jinja2 SSTI in Reflection agent's reflection prompt rendering
CWE-1336mcpuniverse/agent/reflection.py
2026-04-06
SylphxAI/pdf-reader-mcp
Server-Side Request Forgery (SSRF) via URL source parameter
CWE-918src/pdf/loader.ts
2026-04-06
SylphxAI/pdf-reader-mcp
Wildcard CORS in HTTP transport mode allows cross-origin exploitation
CWE-942src/index.ts
2026-04-06
neondatabase/mcp-server-neon
All request headers stored verbatim during client registration, including sensitive headers
CWE-200landing/app/api/register/route.ts
2026-04-06
neondatabase/mcp-server-neon
SQL statements from MCP tool calls executed without structural validation
CWE-89landing/mcp-src/tools/tools.ts
2026-04-06
skalesapp/skales
SSRF via webhook forwarding to attacker-controlled host header
CWE-918apps/web/src/app/api/webhook/route.ts
2026-04-06
skalesapp/skales
No authentication on sensitive API endpoints (Telegram, WhatsApp, buddy-chat, system)
CWE-862apps/web/src/app/api/buddy-chat/route.ts
2026-04-06
skalesapp/skales
Path traversal in /api/file route serves arbitrary workspace-adjacent files
CWE-22apps/web/src/app/api/file/route.ts
2026-04-06
skalesapp/skales
LLM-generated skill code validated with validateSkillCode then saved and executed without sandboxing
CWE-94apps/web/src/app/api/custom-skills/generate/route.ts
2026-04-06
skalesapp/skales
isPathAllowed catch-all returns allowed:true, silently bypassing file access controls on any error
CWE-200apps/web/src/actions/orchestrator.ts
2026-04-06
skalesapp/skales
Full filesystem read/write when fileSystemAccess is set to 'full' with inadequate blocked path checks
CWE-22apps/web/src/actions/computer-use.ts
2026-04-06
skalesapp/skales
Zip slip vulnerability in backup import allows file writes outside DATA_DIR
CWE-502apps/web/src/actions/backup.ts
2026-04-06
skalesapp/skales
WhatsApp bot uses shell (execSync) to kill processes on port conflict with no input sanitization
CWE-78apps/web/whatsapp-bot.js
2026-04-06
skalesapp/skales
TLS certificate validation disabled in all email (IMAP/SMTP) connections
CWE-295apps/web/src/actions/email.ts
2026-04-06