Findings

Audit findings.

Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.

1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.

Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.

Medium

50 on this page

QwenLM/Qwen-Agent

Stored XSS via browsing history titles rendered as HTML

CWE-79qwen_server/workstation_server.py

2026-03-24

ZhuLinsen/daily_stock_analysis

IP-based rate limiting bypass via spoofed X-Forwarded-For header

CWE-345src/auth.py

2026-03-24

mlflow/mlflow

Arbitrary module import via loader_module in model configuration

CWE-94mlflow/pyfunc/__init__.py

2026-03-24

mlflow/mlflow

Subprocess spawned with user-influenced model_uri paths in spark_udf scoring server

CWE-78mlflow/pyfunc/__init__.py

2026-03-24

ntegrals/openbrowser

Unix socket created in world-accessible /tmp directory without permission restrictions

CWE-284packages/cli/src/server.ts

2026-03-24

ntegrals/openbrowser

Unsafe JSON.parse of conversation state file without schema validation

CWE-502packages/core/src/agent/conversation/service.ts

2026-03-24

pydantic/pydantic-ai

Unsanitized database name in CREATE DATABASE via f-string

CWE-89examples/pydantic_ai_examples/sql_gen.py

2026-03-24

Crosstalk-Solutions/project-nomad

Hardcoded HMAC secret for benchmark submission signing

CWE-798admin/app/services/benchmark_service.ts

2026-03-23

Crosstalk-Solutions/project-nomad

GitHub Actions script injection via workflow_dispatch inputs in release notes finalization

CWE-77.github/workflows/release.yml

2026-03-23

IBM/mcp-context-forge

SQL LIKE injection via json_key parameter in _get_span_entity_performance

CWE-89mcpgateway/admin.py

2026-03-23

IBM/mcp-context-forge

CSRF bypass when no Origin and no Referer headers are present on cookie-authenticated requests

CWE-352mcpgateway/admin.py

2026-03-23

Josh-XT/AGiXT

Solana private keys stored in plaintext in agent settings database

CWE-200agixt/Agent.py

2026-03-23

Josh-XT/AGiXT

get_agent_commands_only lacks authorization check for agent ownership

CWE-863agixt/Agent.py

2026-03-23

Josh-XT/AGiXT

Sensitive provider credentials logged in debug/warning messages

CWE-532agixt/Agent.py

2026-03-23

Pimzino/spec-workflow-mcp

Regular expression injection in changelog version parameter

CWE-1333src/dashboard/multi-server.ts

2026-03-23

Pimzino/spec-workflow-mcp

Path traversal via projectPath in add project endpoint

CWE-22src/dashboard/multi-server.ts

2026-03-23

Pimzino/spec-workflow-mcp

Path traversal in steering document name parameter

CWE-22src/dashboard/multi-server.ts

2026-03-23

av/harbor

Shell injection via eval in env_manager config values consumed by eval echo

CWE-78harbor.sh

2026-03-23

av/harbor

Command injection through service names in unquoted command substitution

CWE-78harbor.sh

2026-03-23

av/harbor

Shell injection in run_llamacpp_pull via model name interpolated into shell script

CWE-78harbor.sh

2026-03-23

exa-labs/exa-mcp-server

IP-based rate limiting bypassable via spoofed headers

CWE-346api/mcp.ts

2026-03-22

exa-labs/exa-mcp-server

API key exposure in URL query parameter logged and potentially stored in server/proxy logs

CWE-200api/mcp.ts

2026-03-22

gptme/gptme

Arbitrary code execution via --eval-module loading untrusted Python files

CWE-94gptme/eval/main.py

2026-03-22

gptme/gptme

Shell command execution with LLM-generated content in server mode

CWE-78gptme/server/session_step.py

2026-03-22

inclusionAI/AReaL

Hardcoded default admin API key in OpenAI proxy server

CWE-798areal/experimental/openai/proxy/proxy_rollout_server.py

2026-03-22

inclusionAI/AReaL

User-controlled config values passed to subprocess command construction without sanitization

CWE-78areal/api/cli_args.py

2026-03-22

makenotion/notion-mcp-server

Timing-attack vulnerable bearer token comparison

CWE-208scripts/start-server.ts

2026-03-22

makenotion/notion-mcp-server

Recursive JSON deserialization of user-controlled tool parameters may cause prototype pollution or unexpected object injection

CWE-502src/openapi-mcp-server/mcp/proxy.ts

2026-03-22

ModelEngine-Group/nexent

Path traversal in default agents JSON file loading

CWE-22backend/services/agent_service.py

2026-03-21

ModelEngine-Group/nexent

Sensitive credentials written to .env file in plaintext via deploy.sh

CWE-532docker/deploy.sh

2026-03-21

Mai-with-u/MaiBot

Dynamic class creation from MCP server-controlled data

CWE-94plugins/MaiBot_MCPBridgePlugin/plugin.py

2026-03-20

Mai-with-u/MaiBot

SSRF via user-controlled MCP resource URI

CWE-918plugins/MaiBot_MCPBridgePlugin/plugin.py

2026-03-20

volcengine/OpenViking

Path traversal in download command writes to arbitrary local paths

CWE-22third_party/agfs/agfs-shell/agfs_shell/builtins.py

2026-03-19

volcengine/OpenViking

Path traversal via AGFS directory entry names in _download_dir

CWE-22third_party/agfs/agfs-shell/agfs_shell/builtins.py

2026-03-19

volcengine/OpenViking

Local file read via cmd_cat fallback without path validation

CWE-22third_party/agfs/agfs-shell/agfs_shell/builtins.py

2026-03-19

volcengine/OpenViking

Arbitrary local file write via cmd_upload with unsanitized local_path

CWE-22third_party/agfs/agfs-shell/agfs_shell/builtins.py

2026-03-19

getsentry/XcodeBuildMCP

Command injection via unsanitized arguments passed to shell execution

CWE-78src/utils/command.ts

2026-03-18

getsentry/XcodeBuildMCP

Unsanitized bundleId interpolated into log stream predicate passed to shell command

CWE-78src/utils/log_capture.ts

2026-03-18

MemMachine/MemMachine

Path traversal via user-controlled destination in ConfigurationWizard

CWE-22packages/server/src/memmachine_server/installation/configuration_wizard.py

2026-03-17

MemMachine/MemMachine

Unsafe tarfile extraction allows path traversal (zip slip)

CWE-94packages/server/src/memmachine_server/installation/memmachine_configure.py

2026-03-17

InternLM/xtuner

GitHub Actions expression injection via unsanitized comment body

CWE-94.github/workflows/claude-general.yml

2026-03-16

NousResearch/hermes-agent

YAML config file loaded with yaml.safe_load controls environment variables and subprocess execution

CWE-94cli.py

2026-03-14

NousResearch/hermes-agent

Git worktree operations use unsanitized repo paths in subprocess calls

CWE-78cli.py

2026-03-14

langchain-ai/open-swe

Shell command injection via unsanitized repo_dir in _run_git and related functions

CWE-78agent/utils/github.py

2026-03-12

langchain-ai/open-swe

MD5 used for thread ID generation enables collision-based thread hijacking

CWE-328agent/webapp.py

2026-03-12

langchain-ai/open-swe

Auth error messages leak internal error details to external users

CWE-200agent/utils/auth.py

2026-03-12

shaxiu/XianyuAutoAgent

LLM prompt injection via buyer chat messages leading to unintended agent behavior

CWE-94main.py

2026-03-11

shaxiu/XianyuAutoAgent

Sensitive credentials logged and written to .env file in plaintext from user input

CWE-532XianyuApis.py

2026-03-11

0x4m4/hexstrike-ai

API host binding configurable via environment variable allows network exposure

CWE-200hexstrike_server.py

0x4m4/hexstrike-ai

Unsanitized context parameters flow into tool command arguments

CWE-78hexstrike_server.py