Search for packages
| purl | pkg:npm/opencode-ai@0.0.0-dev-202511090528 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-59xz-hkcz-wkb1
Aliases: CVE-2026-22812 GHSA-vxw4-wv6m-9hhh |
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216. |
Affected by 1 other vulnerability. |
|
VCID-6371-kaex-gybe
Aliases: CVE-2026-22813 GHSA-c83v-7274-4vgp |
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T20:47:41.544616+00:00 | GitLab Importer | Affected by | VCID-59xz-hkcz-wkb1 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/opencode-ai/CVE-2026-22812.yml | 38.6.0 |
| 2026-06-12T20:46:44.819287+00:00 | GitLab Importer | Affected by | VCID-6371-kaex-gybe | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/opencode-ai/CVE-2026-22813.yml | 38.6.0 |