Findings

Audit findings.

Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.

1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.

Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.

Medium

16 on this page

Klavis-AI/klavis

SQL Injection in Google Drive search_spreadsheets via query parameter

CWE-89mcp_servers/google_sheets_toolathlon/src/mcp_google_sheets/server.py

Klavis-AI/klavis

Allowed databases bypass via incomplete SQL parsing in read_query/write_query

CWE-863mcp_servers/snowflake_toolathlon/src/mcp_snowflake_server/server.py

Klavis-AI/klavis

Sensitive credential logging in Snowflake server error handler

CWE-200mcp_servers/snowflake_toolathlon/src/mcp_snowflake_server/server.py

MemTensor/MemOS

Internal service authentication bypass via spoofable X-Internal-Service header

CWE-287src/memos/api/middleware/auth.py

MemTensor/MemOS

IP-based authentication bypass via hostname entries in INTERNAL_SERVICE_IPS

CWE-290src/memos/api/middleware/auth.py

MervinPraison/PraisonAI

YAML-loaded environment variables set via os.environ without sanitization

CWE-78src/praisonai/praisonai/cli/main.py

airweave-ai/airweave

SQL LIKE injection via unsanitized search parameter in admin organization listing

CWE-89backend/airweave/api/v1/endpoints/admin.py

airweave-ai/airweave

Command injection via STRIPE_CLI_BIN environment variable in manual test script

CWE-78backend/scripts/manual_stripe_pro_flow.py

airweave-ai/airweave

Hardcoded credentials in manual test script exposed in repository

CWE-200backend/scripts/manual_stripe_pro_flow.py

airweave-ai/airweave

Admin organization access bypass via skip_organization_check in SearchFactory

CWE-862backend/airweave/search/factory.py

mcp-use/mcp-use

User-controlled path passed to spawn/child_process without validation

CWE-78libraries/typescript/packages/cli/src/index.ts

mcp-use/mcp-use

Arbitrary TypeScript/JavaScript file import via --path and --server options in dev/generate-types commands

CWE-94libraries/typescript/packages/cli/src/index.ts

mcp-use/mcp-use

Widget name injected into HTML template without escaping

CWE-79libraries/typescript/packages/cli/src/index.ts

modelcontextprotocol/inspector

Arbitrary environment variable injection via query parameter in stdio transport

CWE-94server/src/index.ts

modelcontextprotocol/inspector

Origin validation bypass allows non-browser CSRF and unauthorized access

CWE-346server/src/index.ts

modelcontextprotocol/inspector

Session token exposed in URL query parameters and localStorage

CWE-200client/bin/start.js

Low

34 on this page

payloadcms/payload

Pathname wildcard regex in isURLAllowed lacks anchoring escape of regex metacharacters

CWE-1333packages/payload/src/utilities/isURLAllowed.ts

2026-05-11

hsliuping/TradingAgents-CN

Verbose error messages expose internal details in multiple API endpoints

CWE-209app/routers/social_media.py

2026-04-15

mapbox/mcp-server

Unsafe JSON.parse of OTEL headers from environment variable

CWE-94src/utils/tracing.ts

2026-04-10

ihor-sokoliuk/mcp-searxng

CORS origin check allows requests with no Origin header when origins are restricted

CWE-346src/http-security.ts

2026-04-07

ihor-sokoliuk/mcp-searxng

ReDoS potential in section extraction regex with user-controlled input

CWE-1333src/url-reader.ts

2026-04-07

vercel/mcp-handler

Unbounded in-memory server array growth in SSE mode

CWE-400src/handler/mcp-api-handler.ts

2026-04-06

agbcloud/agbcloud-sdk

Pre-signed URLs logged in plaintext enabling unauthorized access to cloud storage

CWE-532python/agb/modules/file_transfer.py

2026-04-05

kernel/kernel-images

Directory traversal via SimpleHTTPRequestHandler

CWE-22images/chromium-headful/image-chromium/http_server.py

2026-04-04

higress-group/himarket

Hardcoded default credentials in application configuration and deployment scripts

CWE-798himarket-bootstrap/src/main/resources/application.yml

2026-04-03

nanbingxyz/5ire

Encryptor bridge exposes encrypt/decrypt to renderer without access control

CWE-863src/main/bridge/encryptor-bridge.ts

2026-04-03

AIPexStudio/AIPex

SSRF protection on aiHost URL is bypassed in development mode

CWE-346packages/browser-ext/src/lib/ai-provider.ts

2026-04-02

regenrek/deepwiki-mcp

ReDoS potential in deepwikiSearch regex construction from user query

CWE-1333src/tools/deepwikiSearch.ts

2026-04-01

open-compress/claw-compactor

ReDoS potential in grep line parsing regex

CWE-1333scripts/lib/fusion/search_crunch.py

2026-03-31

modelcontextprotocol/ext-apps

Wiki explorer fetches arbitrary Wikipedia URLs provided by tool caller

CWE-918examples/wiki-explorer-server/server.ts

2026-03-30

MCPJam/inspector

Session token exposed in URL query parameters for SSE endpoints

CWE-200mcpjam-inspector/server/middleware/session-auth.ts

2026-03-29

nottelabs/notte

Hardcoded PostHog API key in source code

CWE-798packages/notte-core/src/notte_core/common/telemetry.py

2026-03-29

google/adk-python

DOM-based XSS via innerHTML in color picker browser component

CWE-79src/google/adk/cli/browser/chunk-GLGRLUIJ.js

2026-03-28

perplexityai/modelcontextprotocol

Verbose error messages leak internal details to MCP clients

CWE-200src/server.ts

2026-03-28

EverMind-AI/EverMemOS

User-controlled base_url in LLM/embedding API clients enables SSRF

CWE-918src/core/component/llm/llm_adapter/openai_adapter.py

2026-03-27

e2b-dev/E2B

Supabase edge function leaks user email to external services without validation

CWE-200supabase/functions/new_user/index.ts

2026-03-27

mobile-next/mobile-mcp

Telemetry sends hashed but potentially deanonymizable host identity to third party

CWE-200src/server.ts

2026-03-27

khoj-ai/khoj

Code injection via ast.literal_eval on LLM-controlled coordinate strings in Anthropic operator agent

CWE-94src/khoj/processor/operator/operator_agent_anthropic.py

2026-03-26

ZhuLinsen/daily_stock_analysis

Git diff command uses unsanitized GITHUB_BASE_REF environment variable

CWE-78.github/scripts/ai_review.py

2026-03-24

Crosstalk-Solutions/project-nomad

GitHub Actions expression injection in authorization check

CWE-77.github/workflows/build-disk-collector.yml

2026-03-23

IBM/mcp-context-forge

In-memory rate limiting is per-process and can be exhausted by IP spoofing

CWE-400mcpgateway/admin.py

2026-03-23

exa-labs/exa-mcp-server

Rate limit bypass prefix checked via simple startsWith on user-controlled User-Agent

CWE-863api/mcp.ts

2026-03-22

gptme/gptme

API keys passed as command-line arguments to docker, visible in process list

CWE-532gptme/eval/main.py

2026-03-22

Mai-with-u/MaiBot

Tool call arguments logged and persisted including potentially sensitive data

CWE-532plugins/MaiBot_MCPBridgePlugin/plugin.py

2026-03-20

getsentry/XcodeBuildMCP

Package.json version values interpolated directly into generated TypeScript source

CWE-94scripts/generate-version.ts

2026-03-18

MemMachine/MemMachine

SSRF via environment-controlled CRM_SERVER_URL in Slack server

CWE-918examples/v1/crm/slack_server.py

2026-03-17

NousResearch/hermes-agent

.worktreeinclude allows path traversal for file copy and symlink creation

CWE-22cli.py

2026-03-14

langchain-ai/open-swe

Image URLs from untrusted issue/comment bodies fetched server-side (SSRF)

CWE-918agent/webapp.py

2026-03-12

shaxiu/XianyuAutoAgent

Full raw WebSocket messages logged at DEBUG level may contain sensitive user data

CWE-200main.py

2026-03-11

mcp-use/mcp-use

SSRF via MCP_USE_API environment variable in tunnel cleanup

CWE-918libraries/typescript/packages/cli/src/index.ts