Findings
Audit findings.
Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.
1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.
Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.
Critical
30 on this pagekernel/kernel-imagesArbitrary code execution via Unix socket in playwright-daemon
CWE-94server/runtime/playwright-daemon.ts
2026-04-04
strands-agents/toolsShell command injection via agent-controlled input to shell tool
CWE-78src/strands_tools/shell.py
2026-04-03
strands-agents/toolsArbitrary Python code execution via agent-controlled input to python_repl tool
CWE-94src/strands_tools/python_repl.py
2026-04-03
test-zeus-ai/testzeus-herculesArbitrary code execution via exec() in sandbox with attacker-controlled code from file
CWE-94testzeus_hercules/core/tools/execute_python_sandbox.py
2026-04-03
test-zeus-ai/testzeus-herculesArbitrary code execution via exec() in _parse_custom_injections from environment variable
CWE-94testzeus_hercules/core/tools/execute_python_sandbox.py
2026-04-03
Flux159/mcp-server-kubernetesCommand injection via shell splitting in port_forward.ts
CWE-78src/tools/port_forward.ts
2026-04-01
microsoft/azure-devops-mcpCommand injection via AI response in GitHub Actions workflow
CWE-78.github/workflows/ai-issue-processing.yml
2026-04-01
cloudflare/mcp-server-cloudflareArbitrary command execution via container_exec tool
CWE-78apps/sandbox-container/container/sandbox.container.app.ts
2026-03-30
HolmesGPT/holmesgptLLM-directed arbitrary command execution via bash toolset with BASH_TOOL_UNSAFE_ALLOW_ALL
CWE-78holmes/plugins/toolsets/bash/common/bash.py
2026-03-28
langbot-app/LangBotAuthenticated Remote Code Execution via exec() on user-supplied Python code
CWE-94src/langbot/pkg/api/http/controller/groups/system.py
2026-03-27
openlit/openlitOS Command Injection via cron job manipulation
CWE-78src/client/src/helpers/server/cron.ts
2026-03-27
ruc-datalab/DeepAnalyzeOS Command Injection via unsanitized JSON data in score4each_com.py
CWE-78playground/DSBench/data_modeling/score4each_com.py
2026-03-27
FoundationAgents/MetaGPTArbitrary code execution via exec() in RunCode.run_text
CWE-95metagpt/actions/run_code.py
2026-03-26
FoundationAgents/MetaGPTArbitrary code execution via exec() in aflow operator run_code and benchmarks
CWE-95metagpt/ext/aflow/scripts/operator.py
2026-03-26
OpenHands/OpenHandsUnsafe pickle deserialization of base64-encoded content from remote runtime
CWE-502enterprise/server/utils/conversation_callback_utils.py
2026-03-26
OpenHands/OpenHandsUnsafe pickle deserialization of metrics from file store in ConversationStats
CWE-502openhands/server/services/conversation_stats.py
2026-03-26
browser-use/browser-useArbitrary code execution via cloudpickle deserialization in sandbox decorator
CWE-502browser_use/sandbox/sandbox.py
2026-03-26
open-webui/open-webuiArbitrary code execution via admin-controlled tool/function content stored in DB
CWE-94backend/open_webui/utils/plugin.py
2026-03-25
1Panel-dev/MaxKBUnsafe pickle deserialization of user-uploaded files allows arbitrary code execution
CWE-502apps/common/utils/common.py
2026-03-24
1Panel-dev/MaxKBServer-Side Request Forgery (SSRF) via unrestricted URL fetch in template workflow and resource proxy
CWE-918apps/application/serializers/application.py
2026-03-24
QwenLM/Qwen-AgentUnsandboxed arbitrary code execution via exec() in PythonExecutor
CWE-94qwen_agent/tools/python_executor.py
2026-03-24
ntegrals/openbrowserArbitrary command execution via MCP client spawn
CWE-78packages/core/src/bridge/client.ts
2026-03-24
0x4m4/hexstrike-aiOS Command Injection via Flask API endpoints passing user input to subprocess
CWE-78hexstrike_server.py
Klavis-AI/klavisSQL Injection in Snowflake MCP server via unparameterized user input in multiple handlers
CWE-89mcp_servers/snowflake_toolathlon/src/mcp_snowflake_server/server.py
MemTensor/MemOSSQL Injection via string interpolation in Cypher/SQL queries throughout PolarDB graph database
CWE-89src/memos/graph_dbs/polardb.py
MemTensor/MemOSSQL Injection in `edge_exists()` via f-string interpolation of user-controlled parameters into Cypher query
CWE-89src/memos/graph_dbs/polardb.py
MemTensor/MemOSSQL Injection in `get_children_with_embeddings()` via f-string interpolation
CWE-89src/memos/graph_dbs/polardb.py
MemTensor/MemOSSQL Injection in `get_subgraph()` via f-string interpolation of center_id, user_name, center_status
CWE-89src/memos/graph_dbs/polardb.py
MemTensor/MemOSSQL Injection in `clear()` via user_name interpolation into Cypher DELETE query
CWE-89src/memos/graph_dbs/polardb.py
modelcontextprotocol/inspectorCommand injection via query parameters in stdio transport creation
CWE-78server/src/index.ts
High
20 on this pageMHSanaei/3x-uiShell command injection via user-supplied reloadCmd in install.sh
CWE-78install.sh
2026-05-28
SynkraAI/aiox-coreShell command injection via unsanitized args in spawnAgent/execSync
CWE-78.aiox-core/core/orchestration/terminal-spawner.js
2026-05-28
aws/aws-cliShell injection in bootstrapdocs.py via PATH manipulation
CWE-78doc/source/bootstrapdocs.py
2026-05-28
caamer20/Telegram-DriveHTTP Header Injection via filename in Content-Disposition
CWE-116app/src-tauri/src/api_routes.rs
2026-05-28
caamer20/Telegram-DriveReflected XSS via file_name in password form HTML
CWE-79app/src-tauri/src/share_routes.rs
2026-05-28
dimensionalOS/dimosArbitrary code execution via pickle deserialization of untrusted multiprocessing pipe data
CWE-502dimos/core/coordination/python_worker.py
2026-05-28
dimensionalOS/dimosArbitrary code execution via pickle.loads on data read from SQLite database
CWE-502dimos/memory/timeseries/sqlite.py
2026-05-28
dimensionalOS/dimosArbitrary code execution via pickle.loads on data from PostgreSQL database
CWE-502dimos/memory/timeseries/postgres.py
2026-05-28
dimensionalOS/dimosArbitrary module instantiation via JSON payload in Docker container entrypoint
CWE-94dimos/core/docker_module.py
2026-05-28
griptape-ai/griptapeSQL Injection via LLM-generated queries in SqlTool
CWE-89griptape/tools/sql/tool.py
2026-05-28
pytorch/pytorchUnsafe pickle.loads on untrusted data in basichandlers decoder
CWE-502torch/utils/data/datapipes/utils/decoder.py
2026-05-28
Dispatcharr/DispatcharrSQL injection in UnifiedContentViewSet via search and category parameters
CWE-89apps/vod/api_views.py
2026-05-27
JannisX11/blockbenchCommand injection via file_path and editor in openFileInEditor
CWE-78js/native_apis.ts
2026-05-27
JannisX11/blockbenchScoped filesystem bypass when scope is empty string
CWE-22js/util/scoped_fs.ts
2026-05-27
alexzhang13/rlmArbitrary code execution via LLM-generated code in LocalREPL
CWE-94rlm/environments/local_repl.py
2026-05-27
anyproto/anytype-tsCommand injection via file path in Api.openPath on Windows
CWE-78electron/ts/api.ts
2026-05-27
badrisnarayanan/antigravity-claude-proxyAccount export endpoint exposes refresh tokens without additional auth
CWE-200src/webui/index.js
2026-05-27
codeforreal1/compressOLocal video server allows arbitrary file read via path traversal
CWE-22src-tauri/src/core/server.rs
2026-05-27
modelscope/FunASRArbitrary package installation from downloaded requirements.txt
CWE-78funasr/utils/install_model_requirements.py
2026-05-27
nltk/nltkeval() on partially-attacker-controlled string in read_str()
CWE-94nltk/internals.py
2026-05-27