Skip to content
Sebastion public security findings.Browse the research
FoundationMachines
Findings

Audit findings.

Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.

1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.

Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.

High

44 on this page
ruc-datalab/DeepAnalyze
Arbitrary code execution via eval() on file contents in show_result.py (data_analysis)
CWE-95playground/DSBench/data_analysis/show_result.py
2026-03-27
ruc-datalab/DeepAnalyze
Arbitrary code execution via eval() on file contents in compute_answer.py
CWE-95playground/DSBench/data_analysis/compute_answer.py
2026-03-27
zcaceres/markdownify-mcp
Arbitrary file read via GetMarkdownFileTool when MD_SHARE_DIR is unset
CWE-22src/Markdownify.ts
2026-03-27
FoundationAgents/MetaGPT
eval() on LLM-controlled data in ActionNode.xml_fill for list/dict fields
CWE-95metagpt/actions/action_node.py
2026-03-26
FoundationAgents/MetaGPT
Shell injection via subprocess with shell=True in AndroidExtEnv
CWE-78metagpt/environment/android/android_ext_env.py
2026-03-26
FoundationAgents/MetaGPT
exec() on test code from JSONL dataset files in Test operator
CWE-95metagpt/ext/aflow/scripts/operator.py
2026-03-26
OpenHands/OpenHands
Open redirect via decrypted OAuth state in GitHub proxy callback
CWE-601enterprise/server/routes/github_proxy.py
2026-03-26
browser-use/browser-use
Arbitrary code execution via PythonSession.execute with eval/exec on user-provided code
CWE-94browser_use/skill_cli/python_session.py
2026-03-26
browser-use/browser-use
Unauthenticated daemon Unix socket/TCP allows arbitrary browser control and code execution
CWE-306browser_use/skill_cli/daemon.py
2026-03-26
browser-use/browser-use
Arbitrary JavaScript execution via 'eval' browser command over unauthenticated daemon socket
CWE-94browser_use/skill_cli/commands/browser.py
2026-03-26
khoj-ai/khoj
OS Command Injection via operator agent shell commands on local ComputerEnvironment
CWE-78src/khoj/processor/operator/operator_environment_computer.py
2026-03-26
khoj-ai/khoj
OS Command Injection via operator text_editor actions with insufficient escaping
CWE-78src/khoj/processor/operator/operator_environment_computer.py
2026-03-26
khoj-ai/khoj
Arbitrary code execution via eval() on LLM-controlled coordinate strings in UITars grounding agent
CWE-95src/khoj/processor/operator/grounding_agent_uitars.py
2026-03-26
khoj-ai/khoj
SSRF via user-controlled Host header in share URL construction
CWE-918src/khoj/routers/api_chat.py
2026-03-26
Marker-Inc-Korea/AutoRAG
ast.literal_eval on untrusted CSV data enables code injection
CWE-95autorag/utils/util.py
2026-03-25
katanemo/plano
os.path.expandvars on config files enables environment variable injection
CWE-94cli/planoai/native_runner.py
2026-03-25
mem0ai/mem0
SQL Injection via unsanitized query passed to MySQL cursor.execute()
CWE-89embedchain/embedchain/loaders/mysql.py
2026-03-25
mem0ai/mem0
SQL Injection via unsanitized query passed to Postgres cursor.execute()
CWE-89embedchain/embedchain/loaders/postgres.py
2026-03-25
open-webui/open-webui
Arbitrary pip package installation via frontmatter requirements in user-supplied tool/function code
CWE-94backend/open_webui/utils/plugin.py
2026-03-25
1Panel-dev/MaxKB
SSRF via open proxy in ResourceProxy endpoint
CWE-918apps/chat/views/chat.py
2026-03-24
1Panel-dev/MaxKB
Pickle deserialization of remotely-fetched content in update_template_workflow
CWE-502apps/application/serializers/application.py
2026-03-24
QwenLM/Qwen-Agent
Arbitrary code execution via exec() in benchmark code_execution metric
CWE-94benchmark/code_interpreter/metrics/code_execution.py
2026-03-24
QwenLM/Qwen-Agent
Command injection via automatic pip install in benchmark metrics
CWE-78benchmark/code_interpreter/metrics/code_execution.py
2026-03-24
activepieces/activepieces
SQL Injection via string interpolation in database migration
CWE-89packages/server/api/src/app/database/migration/postgres/1709052740378-AddPlatformToPostgres.ts
2026-03-24
ntegrals/openbrowser
Arbitrary JavaScript evaluation via CLI server 'eval' command over Unix socket
CWE-94packages/cli/src/server.ts
2026-03-24
ntegrals/openbrowser
Unauthenticated MCP SSE server with permissive CORS allows remote browser control
CWE-284packages/core/src/bridge/server.ts
2026-03-24
pydantic/pydantic-ai
SQL injection via LLM-generated query in sql_gen.py output validator
CWE-89examples/pydantic_ai_examples/sql_gen.py
2026-03-24
Josh-XT/AGiXT
Arbitrary user impersonation via JWT forging with known AGIXT_API_KEY
CWE-287agixt/Agent.py
2026-03-23
Pimzino/spec-workflow-mcp
Path traversal in spec name allows reading/writing arbitrary files
CWE-22src/dashboard/multi-server.ts
2026-03-23
Pimzino/spec-workflow-mcp
Path traversal in document parameter for spec save endpoint
CWE-22src/dashboard/multi-server.ts
2026-03-23
av/harbor
Command injection via alias execution with eval
CWE-78harbor.sh
2026-03-23
av/harbor
Remote code execution via malicious profile downloaded from URL
CWE-78harbor.sh
2026-03-23
ModelEngine-Group/nexent
Server-Side Template Injection via Jinja2 Template rendering of user-controlled data
CWE-1336backend/services/agent_service.py
2026-03-21
InternLM/xtuner
Unsafe deserialization of rollout server response via cloudpickle
CWE-502xtuner/v1/ray/rollout/worker.py
2026-03-16
InternLM/xtuner
GitHub Actions workflow allows any commenter to trigger code execution with write permissions and secret access
CWE-918.github/workflows/claude-general.yml
2026-03-16
Giskard-AI/giskard-oss
Server-Side Template Injection via Jinja2 templates with user-controlled variables
CWE-94libs/giskard-agents/src/giskard/agents/templates/prompts_manager.py
2026-03-15
Giskard-AI/giskard-oss
Arbitrary code execution via LLM-controlled tool arguments deserialized through json.loads and Pydantic
CWE-502libs/giskard-agents/src/giskard/agents/workflow.py
2026-03-15
0x4m4/hexstrike-ai
Pickle module imported and available for deserialization of potentially untrusted data
CWE-502hexstrike_server.py
0x4m4/hexstrike-ai
SSRF via user-controlled target URLs in reconnaissance/scanning functions
CWE-918hexstrike_server.py
Klavis-AI/klavis
SQL Injection via database/schema/table name parameters in DDL operations
CWE-89mcp_servers/snowflake_toolathlon/src/mcp_snowflake_server/server.py
MemTensor/MemOS
SQL Injection in `create_graph()` via db_name interpolation
CWE-89src/memos/graph_dbs/polardb.py
MemTensor/MemOS
SQL Injection in `get_grouped_counts()` via params dict interpolation into WHERE clause
CWE-89src/memos/graph_dbs/polardb.py
MervinPraison/PraisonAI
Arbitrary code execution via user-supplied tools.py file path
CWE-94src/praisonai/praisonai/cli/main.py
modelcontextprotocol/inspector
Server-Side Request Forgery via URL query parameter in SSE/StreamableHTTP transports
CWE-918server/src/index.ts

Medium

6 on this page
Adam-CAD/CADAM
SSRF via PostHog proxy allowing requests to arbitrary subpaths on PostHog hosts
CWE-918src/routes/api/jackson-pollock/$.ts
2026-05-28
MHSanaei/3x-ui
Shell injection via eval of user-controlled tag_version in x-ui.sh legacy_version()
CWE-78x-ui.sh
2026-05-28
PastKing/tgbot-verify
Exception message reflected to Telegram user leaks internal details
CWE-209handlers/verify_commands.py
2026-05-28
PastKing/tgbot-verify
getV4Code allows any user to query any verification ID without ownership check
CWE-862handlers/verify_commands.py
2026-05-28
SynkraAI/aiox-core
Claude CLI spawned with --dangerously-skip-permissions using unsanitized prompt input
CWE-78.aiox-core/core/execution/subagent-dispatcher.js
2026-05-28
aws/aws-cli
Command injection via codedeploy installer filename from S3
CWE-78awscli/customizations/codedeploy/systems.py
2026-05-28