Sebastion
All topics

case-study

16 pieces of writing

maboloshi/github-chinese PR #692 fixed DOM XSS in translation results
vulnerability8 min read

maboloshi/github-chinese PR #692 fixed DOM XSS in translation results

maboloshi/github-chinese inserted third-party translation API responses into GitHub pages as HTML. PR #692 changes that untrusted response handling to text nodes.

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64
vulnerability7 min read

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution
vulnerability9 min read

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds
vulnerability9 min read

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds

AReaL's proxy rollout server used a public default admin API key while binding to a network interface by default. PR #1323 turns that insecure default into a startup failure.

Harbor PR #236 blocks CWE-78 in remote profile downloads
vulnerability7 min read

Harbor PR #236 blocks CWE-78 in remote profile downloads

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding
vulnerability7 min read

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding

CodeGraphContext PR #882 rejects write Cypher on /api/graph
vulnerability7 min read

CodeGraphContext PR #882 rejects write Cypher on /api/graph

CodeGraphContext's visualisation endpoint accepted arbitrary Cypher through /api/graph and passed it directly to Neo4j. PR #882 adds the missing read-only guard.

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction
vulnerability7 min read

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.
vulnerability6 min read

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.

Edict's file:// handler let anyone read files outside the project directory (CWE-22)
vulnerability5 min read

Edict's file:// handler let anyone read files outside the project directory (CWE-22)

The add_remote_skill endpoint in cft0808/edict applied path traversal protection to local and relative paths but skipped the file:// branch entirely. One .resolve() and an allowed_roots check closed the gap.

AIPex's localhost daemon let any website control your browser through a WebSocket
vulnerability5 min read

AIPex's localhost daemon let any website control your browser through a WebSocket

Every MCPHub instance started with the same admin password. I changed that.
vulnerability7 min read

Every MCPHub instance started with the same admin password. I changed that.

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight
vulnerability7 min read

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight

LightRAG's Memgraph storage backend interpolated unsanitised entity types directly into Cypher queries, enabling injection via the API. The Neo4j backend was already fixed.

PraisonAI let YAML config files set LD_PRELOAD and nobody checked
vulnerability7 min read

PraisonAI let YAML config files set LD_PRELOAD and nobody checked

gptme was passing API keys on the command line where any user could read them
vulnerability8 min read

gptme was passing API keys on the command line where any user could read them