Skip to content
Sebastion public security findings.Browse the research
FoundationMachines
Findings

Audit findings.

Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.

1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.

Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.

Medium

50 on this page
jeremylongshore/claude-code-plugins-plus-skills
FTS5 query injection via unsanitized search query in SQLite MATCH clause
CWE-89plugins/mcp/lumera-agent-memory/src/index/index.py
2026-03-31
jeremylongshore/claude-code-plugins-plus-skills
Shell metacharacter injection via gh repo edit --description
CWE-77scripts/update-metrics.mjs
2026-03-31
open-compress/claw-compactor
Unsanitized pythonBin config allows arbitrary command execution in compression middleware
CWE-78proxy/compression-middleware.mjs
2026-03-31
open-compress/claw-compactor
Shell script sources .env file without sanitization, enabling command injection
CWE-94scripts/engram-auto.sh
2026-03-31
timescale/pg-aiguide
Stored index definition re-executed without validation in finalize_database()
CWE-89ingest/document_importer.py
2026-03-31
timescale/pg-aiguide
Stored index definition re-executed without validation in tiger_docs DatabaseManager.finalize()
CWE-89ingest/tiger_docs.py
2026-03-31
timescale/pg-aiguide
Unparameterized schema name in SQL via string interpolation in migrate.ts
CWE-89src/migrate.ts
2026-03-31
ForLoopCodes/contextplus
Path traversal in walkDirectory via targetPath parameter
CWE-22src/core/walker.ts
2026-03-30
ForLoopCodes/contextplus
Partial command injection via targetPath in static analysis runner
CWE-78src/tools/static-analysis.ts
2026-03-30
cloudflare/mcp-server-cloudflare
DEV_DISABLE_OAUTH bypass allows unauthenticated access if environment variable is misconfigured
CWE-200packages/mcp-common/src/api-token-mode.ts
2026-03-30
modelcontextprotocol/ext-apps
innerHTML used with server-derived data in QR code viewer (embedded HTML)
CWE-79examples/qr-server/server.py
2026-03-30
modelcontextprotocol/ext-apps
innerHTML assignment with server-controlled data in video picker
CWE-79examples/video-resource-server/src/mcp-app.ts
2026-03-30
modelcontextprotocol/ext-apps
Debug server log file path controlled via CLI argument without path validation
CWE-22examples/debug-server/server.ts
2026-03-30
taylorwilsdon/google_workspace_mcp
Path traversal in credential store via user_email parameter
CWE-22auth/credential_store.py
2026-03-30
taylorwilsdon/google_workspace_mcp
Path traversal in attachment serving endpoint via file_id
CWE-22core/server.py
2026-03-30
taylorwilsdon/google_workspace_mcp
Unsanitized filename in attachment save allows directory escape
CWE-22core/attachment_storage.py
2026-03-30
GLips/Figma-Context-MCP
Path traversal via fileName with suffix injection in download-figma-images-tool
CWE-22src/mcp/tools/download-figma-images-tool.ts
2026-03-29
GLips/Figma-Context-MCP
Figma API token exposed to arbitrary curl subprocess via fallback mechanism
CWE-200src/utils/fetch-with-retry.ts
2026-03-29
MCPJam/inspector
SSRF via OAuth metadata endpoint with no URL validation
CWE-918mcpjam-inspector/server/routes/mcp/oauth.ts
2026-03-29
MCPJam/inspector
Bearer auth middleware passes through unvalidated tokens as authenticated
CWE-287mcpjam-inspector/server/middleware/bearer-auth.ts
2026-03-29
MCPJam/inspector
SSRF via OAuth debug proxy in local mode
CWE-918mcpjam-inspector/server/routes/mcp/oauth.ts
2026-03-29
nottelabs/notte
Unsanitized input passed to subprocess in benchmark runner
CWE-78packages/notte-eval/src/notte_eval/webvoyager/run.py
2026-03-29
nottelabs/notte
Sensitive credentials potentially leaked via telemetry on error path
CWE-200packages/notte-core/src/notte_core/common/telemetry.py
2026-03-29
nottelabs/notte
Steel API key exposed in WebSocket URL query parameter
CWE-319packages/notte-integrations/src/notte_integrations/sessions/steel.py
2026-03-29
samanhappy/mcphub
SSE/MCP user context middleware trusts URL path parameter for user identity without authentication
CWE-287src/middlewares/userContext.ts
2026-03-29
samanhappy/mcphub
Default admin credentials (admin/admin123) with no forced password change
CWE-1188src/models/User.ts
2026-03-29
samanhappy/mcphub
Bearer key access-type scoping (groups/servers) is checked for existence but not enforced on requests
CWE-863src/middlewares/auth.ts
2026-03-29
HolmesGPT/holmesgpt
SSRF via LLM-directed HTTP requests in Confluence/HTTP toolset
CWE-918holmes/plugins/toolsets/confluence/confluence.py
2026-03-28
bytebase/dbhub
Overly permissive CORS reflects arbitrary Origin header
CWE-346src/server.ts
2026-03-28
bytebase/dbhub
Read-only SQL check bypass via MySQL/MariaDB conditional comments
CWE-89src/utils/sql-parser.ts
2026-03-28
google/adk-python
GitHub Actions workflow injection via issue title/body in triage workflow
CWE-78.github/workflows/triage.yml
2026-03-28
google/adk-python
GitHub Actions workflow injection via PR content in pr-triage workflow using pull_request_target
CWE-78.github/workflows/pr-triage.yml
2026-03-28
google/adk-python
Shell command injection via workflow_dispatch input in analyze-releases workflow
CWE-94.github/workflows/analyze-releases-for-adk-docs-updates.yml
2026-03-28
perplexityai/modelcontextprotocol
Server-Side Request Forgery via PERPLEXITY_BASE_URL environment variable
CWE-918src/server.ts
2026-03-28
perplexityai/modelcontextprotocol
SSRF via user-controlled proxy environment variables
CWE-918src/server.ts
2026-03-28
EverMind-AI/EverMemOS
Pickle deserialization of potentially untrusted files in ResultSaver
CWE-502evaluation/src/utils/saver.py
2026-03-27
EverMind-AI/EverMemOS
Hardcoded MongoDB credentials in docker-compose.yaml
CWE-798docker-compose.yaml
2026-03-27
EverMind-AI/EverMemOS
Hardcoded MinIO credentials in docker-compose.yaml
CWE-798docker-compose.yaml
2026-03-27
HKUDS/LightRAG
SQL injection risk in configure_vchordrq via environment variables
CWE-89lightrag/kg/postgres_impl.py
2026-03-27
HKUDS/LightRAG
Path traversal in workspace header allows cross-workspace data access
CWE-22lightrag/api/lightrag_server.py
2026-03-27
HKUDS/LightRAG
OpenSearch injection via unsanitized entity names in query construction
CWE-89lightrag/kg/opensearch_impl.py
2026-03-27
VibiumDev/vibium
Code execution via exec() on markdown-sourced code in tutorial test runner (Python)
CWE-94tests/py/helpers/tutorial_runner.py
2026-03-27
VibiumDev/vibium
Code execution via new Function() on markdown-sourced code in tutorial test runner (JS)
CWE-94tests/js/helpers/tutorial-runner.js
2026-03-27
browserbase/mcp-server-browserbase
Server-Side Request Forgery via navigate/URL tools accepting arbitrary URLs from MCP clients
CWE-918src/tools/agent.ts
2026-03-27
browserbase/mcp-server-browserbase
HTTP transport exposes MCP server without authentication on configurable network interfaces
CWE-319src/transport.ts
2026-03-27
e2b-dev/E2B
Local HTTP proxy exposes Docker registry credentials without TLS
CWE-319packages/cli/src/commands/template/buildWithProxy.ts
2026-03-27
e2b-dev/E2B
API key and access token stored in plaintext in user config file
CWE-312packages/cli/src/user.ts
2026-03-27
langbot-app/LangBot
SQL injection via sort_by and sort_order parameters in pipeline listing
CWE-89src/langbot/pkg/api/http/controller/groups/pipelines/pipelines.py
2026-03-27
langbot-app/LangBot
YAML deserialization with FullLoader allows arbitrary Python object instantiation
CWE-502src/langbot/pkg/config/impls/yaml.py
2026-03-27
langbot-app/LangBot
PostgreSQL password included in SQLAlchemy engine URL without encoding, potential credential exposure in logs/errors
CWE-200src/langbot/pkg/persistence/databases/postgresql.py
2026-03-27