Approved changes feed: RSS · Atom
cpe:2.3:a:anoma:opencode:*:*:*:*:*:-:*:*
part: a version: * update: *
| Vendor | Anoma (3a1580ef-be2e-55d3-9d1e-0dfa1e975159) |
|---|---|
| Product | Opencode (4a6b49b1-225d-5d15-a0a4-d3c2830e475f) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | - |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-22813 |
vulnerable | 2026-06-08 07:51:13.984493 |
Malicious website can execute commands on the local system through XSS in the OpenCode web UI
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.
Published: 2026-01-12T22:52:35.103Z
Updated: 2026-01-13T19:07:23.038Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-22812 |
vulnerable | 2026-06-08 07:51:13.984090 |
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
HIGH (8.8)
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.
Published: 2026-01-12T22:49:18.325Z
Updated: 2026-01-13T19:07:37.056Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.