Skip to content
Sebastion public security findings.Browse the research
FoundationMachines
Findings

Audit findings.

Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.

1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.

Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.

High

50 on this page
zhayujie/CowAgent
Arbitrary file read via /api/file path parameter
CWE-22channel/web/web_channel.py
2026-04-23
zhayujie/CowAgent
Arbitrary file write via write tool with path traversal
CWE-22agent/tools/write/write.py
2026-04-23
zhayujie/CowAgent
Arbitrary file edit via edit tool with path traversal
CWE-22agent/tools/edit/edit.py
2026-04-23
zhayujie/CowAgent
Arbitrary file read via read tool with path traversal
CWE-22agent/tools/read/read.py
2026-04-23
zhayujie/CowAgent
Environment variable values written in plaintext to disk and settable by LLM
CWE-200agent/tools/env_config/env_config.py
2026-04-23
virattt/ai-hedge-fund
Path traversal in save-json endpoint
CWE-22app/backend/routes/storage.py
2026-04-21
anomalyco/opencode
Shell injection via GitHub context actor in git commit commands
CWE-78github/index.ts
2026-04-20
mrdoob/three.js
Arbitrary code execution via Worker from user-uploaded .js/.json file
CWE-94editor/js/Loader.js
2026-04-20
yangshun/tech-interview-handbook
Broken access control in offers comment create - any userId accepted without verification
CWE-862apps/portal/src/server/router/offers/offers-comments-router.ts
2026-04-20
yangshun/tech-interview-handbook
Broken access control in offers comment update/delete - attacker-supplied userId used for authorization
CWE-862apps/portal/src/server/router/offers/offers-comments-router.ts
2026-04-20
AstrBotDevs/AstrBot
Shell command injection via _is_safe_command bypass in LocalShellComponent
CWE-78astrbot/core/computer/booters/local.py
2026-04-19
AstrBotDevs/AstrBot
Arbitrary Python code execution via LocalPythonComponent
CWE-94astrbot/core/computer/booters/local.py
2026-04-19
szczyglis-dev/py-gpt
SQL injection via table/column names in DB viewer
CWE-89src/pygpt_net/core/db/viewer.py
2026-04-19
vanna-ai/vanna
Path traversal in LocalFileSystem file operations
CWE-22src/vanna/integrations/local/file_system.py
2026-04-19
devnen/Chatterbox-TTS-Server
Path traversal via reference_audio_filename in /tts endpoint
CWE-22server.py
2026-04-18
devnen/Chatterbox-TTS-Server
Path traversal via predefined_voice_id in /tts endpoint
CWE-22server.py
2026-04-18
hsliuping/TradingAgents-CN
Path traversal in log file reading and deletion
CWE-22app/services/log_export_service.py
2026-04-15
hsliuping/TradingAgents-CN
Path traversal in log file deletion endpoint
CWE-22app/routers/logs.py
2026-04-15
hsliuping/TradingAgents-CN
Arbitrary MongoDB collection write via import endpoint
CWE-94app/routers/database.py
2026-04-15
letta-ai/letta
Arbitrary code execution via sandbox tool executor with user-controlled source_code
CWE-94letta/services/tool_executor/sandbox_tool_executor.py
2026-04-14
letta-ai/letta
Unsafe pickle deserialization of sandbox subprocess output
CWE-502letta/services/helpers/tool_parser_helper.py
2026-04-14
letta-ai/letta
Command injection via pip/npm package names in E2B sandbox setup
CWE-78letta/services/tool_sandbox/e2b_sandbox.py
2026-04-14
emcie-co/parlant
SSRF via OpenAPI service source parameter
CWE-918src/parlant/core/services/tools/service_registry.py
2026-04-12
a-bonus/google-docs-mcp
Access token stored in server memory and exposed via unauthenticated download proxy endpoint
CWE-200src/downloadProxy.ts
2026-04-10
duriantaco/skylos
Server-Side Request Forgery (SSRF) via user-controlled URL
CWE-918app.py
2026-04-10
duriantaco/skylos
Path Traversal via arbitrary file read
CWE-22app.py
2026-04-10
duriantaco/skylos
Unsafe YAML deserialization with yaml.load() (no Loader specified)
CWE-502app.py
2026-04-10
microsoft/RD-Agent
Unauthenticated arbitrary process execution via /upload endpoint
CWE-94rdagent/log/server/app.py
2026-04-10
microsoft/RD-Agent
SSRF/arbitrary file read via /upload General Model scenario
CWE-918rdagent/log/server/app.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization of log files in FileStorage.iter_msg
CWE-502rdagent/log/storage.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization of user-interaction session data
CWE-502rdagent/scenarios/data_science/interactor/__init__.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization of user-interaction session data in Streamlit UI
CWE-502rdagent/log/ui/ds_user_interact.py
2026-04-10
microsoft/RD-Agent
Unsafe pickle deserialization of debug_llm.pkl from user-selected log paths
CWE-502rdagent/log/ui/llm_st.py
2026-04-10
resend/resend-mcp
Arbitrary file read via send-email attachment filePath parameter
CWE-22src/tools/emails.ts
2026-04-10
resend/resend-mcp
HTTP transport lacks authentication — any network client can invoke all MCP tools
CWE-287src/transports/http.ts
2026-04-10
NVIDIA-AI-Blueprints/rag
Stored XSS via dangerouslySetInnerHTML rendering of unsanitized markdown
CWE-79frontend/src/components/chat/MessageContent.tsx
2026-04-07
NVIDIA-AI-Blueprints/rag
Stored XSS via dangerouslySetInnerHTML in CitationTextContent
CWE-79frontend/src/components/citations/CitationTextContent.tsx
2026-04-07
Softeria/ms-365-mcp-server
SSRF via fetchAllPages following attacker-controlled @odata.nextLink URLs
CWE-918src/graph-tools.ts
2026-04-07
Softeria/ms-365-mcp-server
Open CORS policy allows any origin to make authenticated requests to MCP endpoints
CWE-346src/server.ts
2026-04-07
line/line-bot-mcp-server
HTML injection via action labels in Puppeteer-rendered rich menu image
CWE-79src/tools/createRichMenu.ts
2026-04-07
smithery-ai/cli
Command injection via unsanitized `skillUrl` passed to `execSync` with shell interpretation
CWE-78src/commands/skill/install.ts
2026-04-07
tonykipkemboi/ollama_pdf_rag
Path traversal via user-controlled PDF filename in upload
CWE-22src/api/services/pdf_service.py
2026-04-07
FunnyWolf/agentic-soc-platform
Splunk Query Injection via unsanitized filter values in AdaptiveQueryInput
CWE-89PLUGINS/SIEM/tools.py
2026-04-06
FunnyWolf/agentic-soc-platform
Splunk Query Injection via index_name parameter in AdaptiveQueryInput
CWE-89PLUGINS/SIEM/tools.py
2026-04-06
FunnyWolf/agentic-soc-platform
Splunk Query Injection via keyword parameter in keyword_search_splunk
CWE-89PLUGINS/SIEM/tools.py
2026-04-06
SalesforceAIResearch/MCP-Universe
Arbitrary code execution via sandbox server with no authentication
CWE-94docker/python_code_sandbox/sandbox_container_server.py
2026-04-06
SalesforceAIResearch/MCP-Universe
Server-Side Template Injection via Jinja2 rendering of user-controlled config templates
CWE-1336mcpuniverse/agent/utils.py
2026-04-06
SylphxAI/pdf-reader-mcp
Path traversal via MCP tool call allows reading arbitrary files
CWE-22src/utils/pathUtils.ts
2026-04-06
neondatabase/mcp-server-neon
Open redirect via unvalidated redirectUri in OAuth callback
CWE-601landing/app/callback/route.ts
2026-04-06
neondatabase/mcp-server-neon
OAuth state parameter in authorize POST is attacker-controlled and parsed without origin validation
CWE-346landing/app/api/authorize/route.ts
2026-04-06