Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/opencode-ai@1.0.108
Typenpm
Namespace
Nameopencode-ai
Version1.0.108
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.1.10
Latest_non_vulnerable_version1.1.10
Affected_by_vulnerabilities
0
url VCID-hzxt-kugv-73fy
vulnerability_id VCID-hzxt-kugv-73fy
summary 
Malicious website can execute commands on the local system through XSS in the OpenCode web UI
A malicious website can abuse the server URL override feature of the OpenCode web UI to achieve cross-site scripting on `http://localhost:4096`. From there, it is possible to run arbitrary commands on the local system using the `/pty/` endpoints provided by the OpenCode API.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22813
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13751
published_at 2026-06-06T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.13659
published_at 2026-06-09T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13626
published_at 2026-06-08T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13712
published_at 2026-06-07T12:55:00Z
4
value 0.00043
scoring_system epss
scoring_elements 0.13748
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22813
1
reference_url https://github.com/anomalyco/opencode
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/anomalyco/opencode
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22813
reference_id CVE-2026-22813
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22813
3
reference_url https://github.com/advisories/GHSA-c83v-7274-4vgp
reference_id GHSA-c83v-7274-4vgp
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c83v-7274-4vgp
4
reference_url https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp
reference_id GHSA-c83v-7274-4vgp
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-13T14:13:29Z/
url https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp
fixed_packages
0
url pkg:npm/opencode-ai@1.1.10
purl pkg:npm/opencode-ai@1.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/opencode-ai@1.1.10
aliases CVE-2026-22813, GHSA-c83v-7274-4vgp
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hzxt-kugv-73fy
1
url VCID-n2xt-r2vu-dkha
vulnerability_id VCID-n2xt-r2vu-dkha
summary 
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary shell commands with the user's privileges.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22812
reference_id
reference_type
scores
0
value 0.05324
scoring_system epss
scoring_elements 0.90229
published_at 2026-06-06T12:55:00Z
1
value 0.05324
scoring_system epss
scoring_elements 0.90242
published_at 2026-06-09T12:55:00Z
2
value 0.05324
scoring_system epss
scoring_elements 0.90226
published_at 2026-06-08T12:55:00Z
3
value 0.05324
scoring_system epss
scoring_elements 0.90227
published_at 2026-06-07T12:55:00Z
4
value 0.05324
scoring_system epss
scoring_elements 0.9023
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22812
1
reference_url https://github.com/anomalyco/opencode
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/anomalyco/opencode
2
reference_url https://github.com/anomalyco/opencode/commit/7d2d87fa2c44e32314015980bb4e59a9386e858c
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/anomalyco/opencode/commit/7d2d87fa2c44e32314015980bb4e59a9386e858c
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22812
reference_id CVE-2026-22812
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22812
4
reference_url https://github.com/advisories/GHSA-vxw4-wv6m-9hhh
reference_id GHSA-vxw4-wv6m-9hhh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vxw4-wv6m-9hhh
5
reference_url https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh
reference_id GHSA-vxw4-wv6m-9hhh
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T14:13:37Z/
url https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh
fixed_packages
0
url pkg:npm/opencode-ai@1.0.216
purl pkg:npm/opencode-ai@1.0.216
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hzxt-kugv-73fy
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/opencode-ai@1.0.216
aliases CVE-2026-22812, GHSA-vxw4-wv6m-9hhh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n2xt-r2vu-dkha
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/opencode-ai@1.0.108