VulnerableCode Package Details - pkg:npm/opencode-ai@1.0.108

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/opencode-ai@1.0.108

Essentials
History (2)

purl	pkg:npm/opencode-ai@1.0.108

Next non-vulnerable version	1.1.10
Latest non-vulnerable version	1.1.10
Risk	4.5

Vulnerabilities affecting this package (2)

Vulnerability	Summary	Fixed by
VCID-hzxt-kugv-73fy Aliases: CVE-2026-22813 GHSA-c83v-7274-4vgp	Malicious website can execute commands on the local system through XSS in the OpenCode web UI A malicious website can abuse the server URL override feature of the OpenCode web UI to achieve cross-site scripting on `http://localhost:4096`. From there, it is possible to run arbitrary commands on the local system using the `/pty/` endpoints provided by the OpenCode API.	1.1.10 Affected by 0 other vulnerabilities.
VCID-n2xt-r2vu-dkha Aliases: CVE-2026-22812 GHSA-vxw4-wv6m-9hhh	OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary shell commands with the user's privileges.	1.0.216 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:40:01.240744+00:00	GitLab Importer	Affected by	VCID-n2xt-r2vu-dkha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/opencode-ai/CVE-2026-22812.yml	38.6.0
2026-06-06T06:38:56.707071+00:00	GitLab Importer	Affected by	VCID-hzxt-kugv-73fy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/opencode-ai/CVE-2026-22813.yml	38.6.0