open-source

26 pieces of writing

Edict's file:// handler let anyone read files outside the project directory (CWE-22)

The add_remote_skill endpoint in cft0808/edict applied path traversal protection to local and relative paths but skipped the file:// branch entirely. One .resolve() and an allowed_roots check closed the gap.

5 April 2026

vulnerability5 min read

AIPex's localhost daemon let any website control your browser through a WebSocket

3 April 2026

vulnerability7 min read

Every MCPHub instance started with the same admin password. I changed that.

30 March 2026

vulnerability7 min read

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight

LightRAG's Memgraph storage backend interpolated unsanitised entity types directly into Cypher queries, enabling injection via the API. The Neo4j backend was already fixed.

28 March 2026

vulnerability7 min read

PraisonAI let YAML config files set LD_PRELOAD and nobody checked

25 March 2026

security12 min read

Git tags, package registries and extension marketplaces share the same broken authentication model

24 March 2026

vulnerability8 min read

gptme was passing API keys on the command line where any user could read them

gptme's evaluation runner passed API keys as Docker CLI arguments, exposing them to every user on the system via ps or /proc. The fix took one file and five tests.

23 March 2026

security7 min read

Hermes Agent's worktree feature copied arbitrary files from your filesystem

19 March 2026

security7 min read

Summarize's localhost daemon accepted requests from any website

11 March 2026

vulnerability7 min read

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days

An audit of Hugging Face's skills repository found five SQL injection vectors in a single file. The fix was merged in nine days.

2 March 2026

security6 min read

When a GitHub Action rewrites its own history

17 March 2025