Findings

Audit findings.

Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.

1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.

Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.

Medium

50 on this page

jjyaoao/HelloAgents

SSRF via image URL fetching in gift card generator

CWE-918skills/gift-evaluator/html_tools.py

2026-04-03

jjyaoao/HelloAgents

Shell command injection via unsanitized filename in subprocess calls

CWE-78skills/xlsx/recalc.py

2026-04-03

jjyaoao/HelloAgents

Zip extraction without path validation enables zip slip attack

CWE-22skills/docx/ooxml/scripts/unpack.py

2026-04-03

microsoft/agent-lightning

SSRF via open proxy in v0 daemon Flask server

CWE-918agentlightning/verl/daemon.py

2026-04-03

microsoft/agent-lightning

Pickle deserialization of untrusted data from shared memory in execution layer

CWE-502agentlightning/execution/shared_memory.py

2026-04-03

microsoft/agent-lightning

Pickle deserialization of network data in client-server execution engine

CWE-502agentlightning/execution/client_server.py

2026-04-03

microsoft/agent-lightning

Arbitrary class instantiation via dynamic import in Trainer component specs

CWE-94agentlightning/trainer/init_utils.py

2026-04-03

microsoft/agent-lightning

NoSQL injection via unvalidated filter parameters in MongoDB store

CWE-943agentlightning/store/collection/mongo.py

2026-04-03

nanbingxyz/5ire

TLS certificate validation globally disabled

CWE-295src/main/main.ts

2026-04-03

nanbingxyz/5ire

Path traversal via DocumentLoader IPC handlers

CWE-22src/main/main.ts

2026-04-03

nanbingxyz/5ire

Stored XSS via markdown rendering with html:true and insufficient DOMPurify configuration

CWE-79src/hooks/useMarkdown.ts

2026-04-03

nanbingxyz/5ire

API keys transmitted in plaintext due to disabled certificate validation

CWE-319src/intellichat/services/OpenAIChatService.ts

2026-04-03

nanbingxyz/5ire

Google API key exposed in URL query parameter

CWE-200src/intellichat/services/GoogleChatService.ts

2026-04-03

nanbingxyz/5ire

ECharts plugin enables arbitrary script execution via crafted chart config in LLM responses

CWE-79src/libs/markdownit-plugins/markdownItEChartsPlugin.ts

2026-04-03

test-zeus-ai/testzeus-hercules

Server-Side Request Forgery in PDF text extractor via agent-controlled URL

CWE-918testzeus_hercules/core/extra_tools/pdf_text_extractor.py

2026-04-03

AIPexStudio/AIPex

MCP daemon WebSocket relay has no authentication, allowing local network tool execution

CWE-319mcp-bridge/src/daemon.ts

2026-04-02

AIPexStudio/AIPex

Skill API filesystem operations allow path traversal outside skill directory

CWE-22packages/browser-runtime/src/lib/vm/skill-api.ts

2026-04-02

AIPexStudio/AIPex

QuickJS module loader error message enables code injection via crafted module name

CWE-94packages/browser-runtime/src/lib/vm/quickjs-manager.ts

2026-04-02

AIPexStudio/AIPex

Skill upload ZIP extraction allows path traversal via crafted filenames (zip slip)

CWE-22packages/browser-runtime/src/skill/lib/utils/zip-utils.ts

2026-04-02

AIPexStudio/AIPex

Download tools pass user-controlled filenames/paths to chrome.downloads.download without sanitization

CWE-22packages/browser-runtime/src/tools/tools/downloads/index.ts

2026-04-02

arabold/docs-mcp-server

Path traversal in LocalFileStrategy via file:// URLs

CWE-22src/scraper/strategies/LocalFileStrategy.ts

2026-04-02

arabold/docs-mcp-server

Open redirect in OAuth authorize endpoint

CWE-601src/auth/ProxyAuthManager.ts

2026-04-02

arabold/docs-mcp-server

OAuth token proxy forwards tokens without audience/scope validation

CWE-200src/auth/ProxyAuthManager.ts

2026-04-02

arabold/docs-mcp-server

SSRF via web UI scrape form allows unauthenticated scraping of arbitrary URLs

CWE-918src/web/routes/jobs/new.tsx

2026-04-02

arabold/docs-mcp-server

SQL injection risk via unsanitized library/version names in raw SQL queries

CWE-89src/store/DocumentStore.ts

2026-04-02

browserwing/browserwing

Shell injection via CHROME_URL environment variable in test script

CWE-78docker/chrome/test-chrome.sh

2026-04-02

browserwing/browserwing

XHR interceptor sends captured request/response data to any parent via postMessage without target origin restriction

CWE-346backend/services/browser/scripts/xhr_interceptor.js

2026-04-02

browserwing/browserwing

iframe_listener accepts postMessage from any origin without validation

CWE-346backend/services/browser/scripts/iframe_listener.js

2026-04-02

BAI-LAB/MemoryOS

API key stored in Flask session and returned in init response leak risk

CWE-200memoryos-playground/memdemo/app.py

2026-04-01

BAI-LAB/MemoryOS

Unbounded in-memory session storage enables denial of service

CWE-400memoryos-playground/memdemo/app.py

2026-04-01

BAI-LAB/MemoryOS

Prompt injection via stored memory content influences LLM behavior

CWE-611memoryos-playground/memoryos.py

2026-04-01

BAI-LAB/MemoryOS

Unsafe JSON deserialization from user-writable files enables data corruption

CWE-502memoryos-pypi/long_term.py

2026-04-01

BAI-LAB/MemoryOS

Path traversal via user_id in memoryos-mcp Memoryos constructor enables arbitrary file writes

CWE-22memoryos-mcp/memoryos/memoryos.py

2026-04-01

BAI-LAB/MemoryOS

Hardcoded API key committed in test file

CWE-798memoryos-playground/test.py

2026-04-01

Flux159/mcp-server-kubernetes

Arbitrary file read via patchFile parameter in kubectl_patch

CWE-22src/tools/kubectl-patch.ts

2026-04-01

Flux159/mcp-server-kubernetes

Arbitrary file read via fromFile parameter in kubectl_create

CWE-22src/tools/kubectl-create.ts

2026-04-01

Flux159/mcp-server-kubernetes

DNS rebinding protection disabled by default on streamable HTTP transport

CWE-319src/utils/streamable-http.ts

2026-04-01

kaushikb11/awesome-llm-agents

GitHub Actions workflow uses unpinned actions (tag-only references)

CWE-829.github/workflows/main.yml

2026-04-01

kaushikb11/awesome-llm-agents

Server-Side Request Forgery via README-sourced URLs passed to GitHub API

CWE-918update_metrics.py

2026-04-01

microsoft/azure-devops-mcp

Path traversal bypass in artifact download via resolve()

CWE-22src/tools/pipelines.ts

2026-04-01

microsoft/azure-devops-mcp

Server-Side Request Forgery via org name in tenant lookup

CWE-918src/org-tenants.ts

2026-04-01

modelscope/AgentEvolver

Unrestricted dynamic class loading from config in load_agent_class

CWE-94games/utils.py

2026-04-01

modelscope/AgentEvolver

Shell command injection via daemon.py LaunchWhenAbsent with PTY mode

CWE-78agentevolver/utils/daemon.py

2026-04-01

modelscope/AgentEvolver

Log file path injection via CLIENT_LOG_PATH environment variable

CWE-22env_service/env_client.py

2026-04-01

modelscope/AgentEvolver

Full stack trace exposure in HTTP error responses

CWE-209env_service/env_service.py

2026-04-01

modelscope/AgentEvolver

Process killing via pattern matching on 'ray' and 'python' keywords is overly broad

CWE-78launcher.py

2026-04-01

modelscope/AgentEvolver

Directory traversal via experiment_name from user-provided YAML config

CWE-22launcher.py

2026-04-01

modelscope/AgentEvolver

DEBUG_ARG environment variable influences validation dataset selection without sanitization

CWE-200agentevolver/module/trainer/ae_ray_trainer.py

2026-04-01

regenrek/deepwiki-mcp

Server-Side Request Forgery (SSRF) via deepwiki_search tool bypassing domain restriction

CWE-918src/tools/deepwikiSearch.ts

2026-04-01

regenrek/deepwiki-mcp

SSRF via open redirect / URL manipulation in deepwiki_fetch tool's resolveRepo path

CWE-918src/tools/deepwiki.ts

2026-04-01