Search for packages
| purl | pkg:npm/opencode-ai@1.0.216 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-hzxt-kugv-73fy
Aliases: CVE-2026-22813 GHSA-c83v-7274-4vgp |
Malicious website can execute commands on the local system through XSS in the OpenCode web UI A malicious website can abuse the server URL override feature of the OpenCode web UI to achieve cross-site scripting on `http://localhost:4096`. From there, it is possible to run arbitrary commands on the local system using the `/pty/` endpoints provided by the OpenCode API. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-n2xt-r2vu-dkha | OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary shell commands with the user's privileges. |
CVE-2026-22812
GHSA-vxw4-wv6m-9hhh |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T06:38:57.348292+00:00 | GitLab Importer | Affected by | VCID-hzxt-kugv-73fy | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/opencode-ai/CVE-2026-22813.yml | 38.6.0 |
| 2026-06-05T21:56:18.771425+00:00 | GHSA Importer | Fixing | VCID-n2xt-r2vu-dkha | https://github.com/advisories/GHSA-vxw4-wv6m-9hhh | 38.6.0 |
| 2026-06-04T16:54:05.681749+00:00 | GithubOSV Importer | Fixing | VCID-n2xt-r2vu-dkha | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-vxw4-wv6m-9hhh/GHSA-vxw4-wv6m-9hhh.json | 38.6.0 |
| 2026-06-02T04:49:30.859394+00:00 | GitLab Importer | Fixing | VCID-n2xt-r2vu-dkha | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/opencode-ai/CVE-2026-22812.yml | 38.6.0 |