Contributions
Security fixes shipped
to real projects.
Every vulnerability Sebastion finds in open source gets a fix, not just a write-up. These are the projects we've contributed accepted security patches to.
26
Fixes Accepted
19
Projects
19
Case Studies
Projects
Accepted Fixes
Mergedskills
fix: prevent SQL injection in sql_manager.py (CWE-89)
SQL InjectionCWE-8921 Feb 2026
Mergedsummarize
fix: restrict daemon CORS to trusted origins (CWE-942)
CORS MisconfigurationCWE-94221 Feb 2026
Mergedsummarize
test: add CORS allowlist edge-case coverage
CORS Misconfiguration10 Mar 2026
Mergedgptme
fix: use --env-file for docker secrets instead of CLI args (CWE-214)
Information DisclosureCWE-21423 Mar 2026
Mergeddaily_stock_analysis
fix(auth): use rightmost X-Forwarded-For entry to prevent rate-limit bypass (CWE-345)
IP SpoofingCWE-34524 Mar 2026
Mergedgptme
fix: use --env-file for docker secrets instead of CLI args (CWE-214)
Information DisclosureCWE-21425 Mar 2026
MergedPraisonAI
fix: harden env key validation — malformed keys, root/deployment type guards
Security Fix26 Mar 2026
MergedLightRAG
fix: sanitize entity_type in Memgraph upsert_node to prevent Cypher injection (CWE-89)
Input ValidationCWE-8927 Mar 2026
Mergedmcphub
fix: replace hardcoded default admin password with random generation (CWE-1188)
Security FixCWE-118829 Mar 2026
Mergedcontextplus
fix: path traversal in shadow restore system (CWE-22)
Path TraversalCWE-2231 Mar 2026
Write-up pending
Mergedcontextplus
fix: prevent CWE-78 command injection in static analysis runner
Command InjectionCWE-7831 Mar 2026
Write-up pending
MergedAIPex
fix: validate Origin header on WebSocket upgrade to prevent cross-site WebSocket hijacking
WebSocket Security3 Apr 2026
Mergededict
fix: apply allowed_roots check to file:// URLs in add_remote_skill (CWE-22)
Security FixCWE-224 Apr 2026
fix: add SSRF protection for webhook URLs (CWE-918)
SSRFCWE-9186 Apr 2026
Mergedrag
fix: validate file paths in MCP upload/update tools to prevent path traversal (CWE-22)
Path TraversalCWE-227 Apr 2026
Mergedmcp-searxng
fix: escape user input in extractSection regex to prevent ReDoS (CWE-1333)
Regex InjectionCWE-13337 Apr 2026
MergedAstrBot
fix: prevent path traversal in backup importer (CWE-22)
Path TraversalCWE-2219 Apr 2026
Write-up pending
Mergedcheckcle
fix(auth): stop persisting PocketBase JWT in localStorage (CWE-922)
Security FixCWE-9221 May 2026
Mergedkoodo-reader
fix(httpServer): restrict CORS to allow-listed origins (CWE-942)
CORS MisconfigurationCWE-9421 May 2026
Mergedmcphub
fix(security): require admin and redact secrets in MCP settings export (CWE-862)
Information DisclosureCWE-8621 May 2026
Mergedmcphub
fix(auth): reject scoped bearer keys on dashboard API (CWE-863)
Security FixCWE-8631 May 2026
Mergedgoogle_workspace_mcp
Security: prevent fork-PR code execution with write token in ruff workflow (CWE-77)
Security FixCWE-772 May 2026
Write-up pending
MergedCodeGraphContext
fix(viz): restrict CORS to localhost on visualization server (CWE-942)
CORS MisconfigurationCWE-9425 May 2026
Write-up pending
MergedCodeGraphContext
fix(viz): reject write Cypher on /api/graph (CWE-943)
Security FixCWE-9435 May 2026
Write-up pending
MergedCodeGraphContext
fix(security): enforce read-only Cypher execution in execute_cypher_query (CWE-943)
Security FixCWE-9435 May 2026
Write-up pending
Cherry-pickedhermes-agent
fix: prevent path traversal via .worktreeinclude entries
Path Traversal14 Mar 2026
This page updates automatically. Data sourced from GitHub via Sebastion's autonomous audit pipeline.