Contributions

Security fixes shipped
to real projects.

Every vulnerability Sebastion finds in open source ships as a fix, not just a write-up. Filter by status, vulnerability class or project. Projects sorted by most-contributed-to by default; PRs sorted latest-first.

Fixes Accepted

Projects

Case Studies

Projects

CodeGraphContext

4 fixes accepted

Path TraversalCORS MisconfigurationSecurity Fix

mcphub

samanhappy

3 fixes accepted

Security FixInformation Disclosure

Travel-Plans-

hitesh-kumar123

2 fixes accepted

SQL InjectionCORS Misconfiguration

photon

portel-dev

2 fixes accepted

Path TraversalCORS Misconfiguration

LangBot

langbot-app

2 fixes accepted

Path TraversalSecurity Fix

EasySpider

NaiboWang

2 fixes accepted

CORS MisconfigurationCode Injection

ragflow

infiniflow

2 fixes accepted

AuthorizationDeserialization

ms-365-mcp-server

Softeria

2 fixes accepted

Security Fix

LightRAG

HKUDS

2 fixes accepted

Input ValidationSecurity Fix

AIPex

AIPexStudio

2 fixes accepted

WebSocket SecuritySSRF

contextplus

ForLoopCodes

2 fixes accepted

Path TraversalCommand Injection

contextplus

forloopcodes

2 fixes accepted

Path TraversalCommand Injection

Pull requests

84 results · page 1 of 4showing 1-25

Openagentmemory

fix(viewer): prevent path-traversal SSRF in proxy (CWE-918)

Path TraversalCWE-91810 Jun 2026

MergedPowerMCP

fix(hope): prevent path traversal in hope_read_output filename parameter

Path Traversal10 Jun 2026

Write-up pending

MergedSQLBot

fix(row-permission): escape SQL values in row permission filter to prevent injection (CWE-89)

Code InjectionCWE-8910 Jun 2026

Write-up pending

Openclaude-code-router

fix(server): prevent path traversal in log file endpoints

Path Traversal10 Jun 2026

Openawesome-llm-apps

fix(social-media): prevent SQL injection in get_sentiment_over_time date parameters

SQL Injection10 Jun 2026

MergedFreeQwenApi

fix(chatHistory): sanitize chatId to prevent path traversal (CWE-22)

Path TraversalCWE-229 Jun 2026

Write-up pending

MergedTravel-Plans-

fix(cors): replace substring origin matching with strict allowlist

CORS Misconfiguration9 Jun 2026

Write-up pending

MergedTravel-Plans-

fix(trips): escape regex metacharacters in destination lookup to prevent NoSQL injection

SQL Injection8 Jun 2026

Write-up pending

Opensurf

fix(app): escape textContent before innerHTML in postProcessMediaCards to prevent stored XSS

Security Fix8 Jun 2026

Openmemanto

fix(ui): remove plaintext API key and session token from /api/ui/config response

Information Disclosure8 Jun 2026

Openmemanto

fix(upload): sanitize filename to prevent path traversal (CWE-22)

Path TraversalCWE-228 Jun 2026

Openhuf

fix(artifacts): sanitize SVG content to prevent stored XSS

Input Validation7 Jun 2026

Mergedpluggedin-app

fix(mcp-servers): add missing authorization to toggleMcpServerStatus

Authorization7 Jun 2026

Write-up pending

Mergedphoton

fix(auth): restrict CORS on OAuth AS endpoints to localhost origins

CORS Misconfiguration7 Jun 2026

Write-up pending

Openplannotator

fix(image): prevent path traversal in /api/image endpoint

Path Traversal6 Jun 2026

Mergedphoton

fix(beam): prevent path traversal via client-controlled root in /api/browse

Path Traversal6 Jun 2026

Write-up pending

Mergedstory-spark-ai

fix(post): remove raw searchTerm regex bypass in getPosts query (CWE-943)

Regex InjectionCWE-9436 Jun 2026

Write-up pending

Openrai

fix(tool_runner): sanitize exception details in ToolMessage content (CWE-209)

Input ValidationCWE-2096 Jun 2026

OpensearxNcrawl

fix(auth): confine storage_state paths in MCP tools to prevent path traversal

Path Traversal6 Jun 2026

Openscrapai-cli

fix(airflow): sanitize spider name and project before shell interpolation in DAGs

Input Validation5 Jun 2026

Mergedtoolsdk-mcp-registry

fix(oauth): escape user-controlled query params in callback HTML to prevent reflected XSS

Security Fix5 Jun 2026

Write-up pending

Mergedagentica

fix(gateway): prevent path traversal in /api/upload target_dir parameter

Path Traversal3 Jun 2026

Write-up pending

Mergedlxserver

fix(elfinder): prevent path traversal in decode() method

Path Traversal3 Jun 2026

Write-up pending

Openpentest-copilot

fix(agent): add user ownership check to clearContext endpoint

Authorization3 Jun 2026

Mergedworldmonitor

fix(mcp-proxy): pin SSE endpoint hostname to prevent SSRF via endpoint event

SSRF2 Jun 2026

Write-up pending

This page updates automatically. Data sourced from GitHub via Sebastion's autonomous audit pipeline. A Foundation Machines program.

Security fixes shippedto real projects.

Projects

Pull requests

Security fixes shipped
to real projects.