Findings
Audit findings.
Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.
1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.
Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.
High
50 on this pageneondatabase/mcp-server-neonOAuth client registration has no rate limiting or authentication
CWE-307landing/app/api/register/route.ts
2026-04-06
skalesapp/skalesCommand injection via open-folder path parameter
CWE-78apps/web/src/app/api/system/open-folder/route.ts
2026-04-06
skalesapp/skalesvm.runInThisContext allows uploaded skill code to escape sandbox during upload
CWE-94apps/web/src/app/api/custom-skills/upload/route.ts
2026-04-06
skalesapp/skalesPath traversal in code preview endpoint serves arbitrary files from disk
CWE-22apps/web/src/app/api/code/preview/[id]/[...filepath]/route.ts
2026-04-06
skalesapp/skalesShell command execution via orchestrator execute_command tool with LLM-controlled input
CWE-78apps/web/src/actions/orchestrator.ts
2026-04-06
skalesapp/skalesCommand blacklist in executeCommand is trivially bypassable via encoding, aliases, and concatenation
CWE-78apps/web/src/actions/computer-use.ts
2026-04-06
skalesapp/skalesPath traversal in /api/code/snapshot allows writing snapshot files to arbitrary directories
CWE-22apps/web/src/app/api/code/snapshot/route.ts
2026-04-06
skalesapp/skalesPath traversal in deploy-config endpoint allows reading/writing config to arbitrary project directories
CWE-22apps/web/src/app/api/code/project/[id]/deploy-config/route.ts
2026-04-06
KroMiose/nekro-agentArbitrary method invocation via RPC endpoint with user-controlled method name and arguments
CWE-94nekro_agent/routers/rpc.py
2026-04-05
KroMiose/nekro-agentRPC secret key leaked to sandbox containers enables host compromise
CWE-200nekro_agent/services/sandbox/ext_caller.py
2026-04-05
KroMiose/nekro-agentPath traversal in plugin editor file operations via file_path parameter
CWE-22nekro_agent/routers/plugin_editor.py
2026-04-05
KroMiose/nekro-agentSandbox container escape via shared pip cache and package directories with write access
CWE-94nekro_agent/services/sandbox/runner.py
2026-04-05
agbcloud/agbcloud-sdkPath traversal in file_system module via user-controlled path arguments
CWE-22agb/modules/file_system.py
2026-04-05
agbcloud/agbcloud-sdkArbitrary command execution via command module with no input sanitization
CWE-78agb/modules/command.py
2026-04-05
arc53/DocsGPTSSRF via NtfyTool server_url parameter controlled by LLM (influenced by user)
CWE-918application/agents/tools/ntfy.py
2026-04-05
arc53/DocsGPTSSRF via Telegram send_image image_url parameter controlled by LLM
CWE-918application/agents/tools/telegram.py
2026-04-05
arc53/DocsGPTSSRF in MCP tool server_url - DNS rebinding bypass of URL validation
CWE-918application/agents/tools/mcp_tool.py
2026-04-05
arc53/DocsGPTPath traversal in /api/images/<path:image_path> allows reading arbitrary storage files
CWE-22application/api/user/attachments/routes.py
2026-04-05
zcaceres/fetch-mcpSSRF via DNS rebinding / TOCTOU race in URL validation
CWE-918src/Fetcher.ts
2026-04-05
zcaceres/fetch-mcpSSRF bypass via HTTP redirect to private/internal addresses (incomplete coverage)
CWE-918src/Fetcher.ts
2026-04-05
PurpleAILAB/DecepticonLLM-generated commands executed in host-accessible Docker sandbox with insufficient allowlist filtering
CWE-78decepticon/tools/bash/tool.py
2026-04-04
PurpleAILAB/DecepticonDocker socket mounted into langgraph container enables container escape to host
CWE-250docker-compose.yml
2026-04-04
cft0808/edictSSRF via WebhookChannel.send() — arbitrary URL fetch with no domain restriction
CWE-918edict/backend/app/channels/webhook.py
2026-04-04
cft0808/edictSSRF via add_remote_skill — server-side fetch of user-supplied URL
CWE-918dashboard/server.py
2026-04-04
jo-inc/camofox-browserPath traversal in cookie file import via plugin tool
CWE-22lib/cookies.js
2026-04-04
jo-inc/camofox-browserArbitrary JavaScript execution in browser context via evaluate endpoint
CWE-94server.js
2026-04-04
vstorm-co/full-stack-ai-agent-templatePath traversal in LocalFileStorage.load() and delete() via storage_path
CWE-22template/{{cookiecutter.project_slug}}/backend/app/services/file_storage.py
2026-04-04
vstorm-co/full-stack-ai-agent-templateSSRF via webhook URL — user-controlled URL used in HTTP requests
CWE-918template/{{cookiecutter.project_slug}}/backend/app/services/webhook.py
2026-04-04
webiny/webiny-jsGitHub Actions script injection via PR title/branch name in issue_comment workflows
CWE-78.github/workflows/pullRequestsCommandVitest.yml
2026-04-04
webiny/webiny-jsScript injection via attacker-controlled changed_files JSON in pullRequests.yml
CWE-78.github/workflows/pullRequests.yml
2026-04-04
webiny/webiny-jsScript injection via changed-packages output used in vitest-constants jobs
CWE-78.github/workflows/pullRequests.yml
2026-04-04
CodeGraphContext/CodeGraphContextCypher injection via execute_cypher_query tool
CWE-943src/codegraphcontext/tools/system.py
2026-04-03
CodeGraphContext/CodeGraphContextCypher injection via viz server /api/graph cypher_query parameter
CWE-943src/codegraphcontext/viz/server.py
2026-04-03
CodeGraphContext/CodeGraphContextArbitrary file read via viz server /api/file endpoint
CWE-22src/codegraphcontext/viz/server.py
2026-04-03
higress-group/himarketShell injection via eval in call_api() function in init scripts
CWE-78deploy/docker/hooks/post_ready.d/20-init-himarket-admin.sh
2026-04-03
higress-group/himarketShell injection via eval in call_api() in portal developer init script (docker)
CWE-78deploy/docker/hooks/post_ready.d/60-init-portal-developer.sh
2026-04-03
higress-group/himarketShell injection via eval in call_api() in helm portal developer init script
CWE-78deploy/helm/hooks/post_ready.d/60-init-portal-developer.sh
2026-04-03
jjyaoao/HelloAgentsPath traversal in file tools allows reading/writing arbitrary files
CWE-22hello_agents/tools/builtin/file_tools.py
2026-04-03
jjyaoao/HelloAgentsPath traversal in DevLogTool via session_id parameter
CWE-22hello_agents/tools/builtin/devlog_tool.py
2026-04-03
jjyaoao/HelloAgentsPath traversal in session persistence via session_id
CWE-22hello_agents/core/session_store.py
2026-04-03
microsoft/agent-lightningFlask proxy server bound to 0.0.0.0 exposes LLM backend to network
CWE-200agentlightning/verl/daemon.py
2026-04-03
nanbingxyz/5ireSSRF via renderer-controlled URL in IPC 'request' handler
CWE-918src/main/main.ts
2026-04-03
nanbingxyz/5ireArbitrary command execution via deep link install-tool
CWE-94src/main/services/deep-link-handler.ts
2026-04-03
nanbingxyz/5ireSQL injection via renderer-controlled IPC in legacy database handlers
CWE-89src/main/sqlite.ts
2026-04-03
nanbingxyz/5ireCommand injection via MCP server endpoint in stdio transport - concatenated arguments passed to shell parser
CWE-78src/main/services/mcp-connections-manager.ts
2026-04-03
strands-agents/toolsInsecure deserialization of REPL state via dill.load from user-controllable path
CWE-502src/strands_tools/python_repl.py
2026-04-03
strands-agents/toolsDynamic tool loading allows arbitrary code execution from agent-specified file paths
CWE-94src/strands_tools/load_tool.py
2026-04-03
test-zeus-ai/testzeus-herculesArbitrary module import via SANDBOX_PACKAGES and SANDBOX_CUSTOM_INJECTIONS environment variables
CWE-94testzeus_hercules/core/tools/execute_python_sandbox.py
2026-04-03
AIPexStudio/AIPexSkill API fetch() acts as unrestricted SSRF proxy from QuickJS VM
CWE-918packages/browser-runtime/src/lib/vm/skill-api.ts
2026-04-02
arabold/docs-mcp-serverServer-Side Request Forgery (SSRF) via FetchUrlTool and ScrapeTool
CWE-918src/tools/FetchUrlTool.ts
2026-04-02