@_mustachio/ai-review-agent (>=1.4.1 <=1.5.0), @antaif3ng/til-work (=0.6.0) +38 more potentially affected by CVE-2026-22813 via opencode-ai (>=0.14.7 <=1.14.48)

opencode-ai NPM version =0.14.7, =1.4.1, =0.1.0, =0.17.0, =2.4.0-canary.0ba816b, =1.0.0, =1.1.0, =1.0.7, =0.0.1, =0.1.0, =5.0.0-alpha.7, =5.0.0-alpha.16 and more Source cves: CVE-2026-22813 Source advisory: OSV:GHSA-C83V-7274-4VGP...

CVE-2026-22813 Malicious website can execute commands on the local system through XSS in the OpenCode web UI

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response...

CVE-2026-22813

The CVE-2026-22813 issue affects OpenCode, where the markdown renderer for LLM responses does not sanitize HTML, allowing arbitrary HTML/JavaScript to run in the OpenCode web UI at http://localhost:4096. The root cause is lack of DOM sanitization and CSP, enabling XSS that can leverage the localh...

CVE-2026-22813

creationtimestamp| type| source ---|---|--- 2026-01-12 21:32:40+00:00| published-proof-of-concept| https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp 2026-01-13 00:02:07+00:00| published-proof-of-concept| Telegram/4zuUlGU6EvpMTWPbip1D3Ts-WMioI6unE3WF1UcmysLKI 2026-01-13...

CVE-2024-22813

An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to overwrite the hardcoded IP address in the device memory, disrupting network connectivity between the router and the controller...

CVE-2023-22813

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS...

CVE-2022-22813

A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration...

CVE-2025-22813

creationtimestamp| type| source ---|---|--- 2025-01-09 16:18:14+00:00| seen| https://bsky.app/profile/cve-notifications.bsky.social/post/3lfd3dndymc2e 2025-01-09 17:46:08+00:00| seen| https://t.me/cvedetector/14866 2025-01-10 21:04:20+00:00| published-proof-of-concept|...

CVE-2025-22813

CVE-2025-22813 is a stored XSS in ChatBot Conversational Forms (WordPress plugin) affecting Conversational Forms for ChatBot up to and including 1.4.2. Exploitation requires authentication (Contributor+). The issue is fixed in a patched release; upgrade to the patched version to mitigate. Details...

CVE-2025-22813 WordPress ChatBot Conversational Forms plugin <= 1.4.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in QuantumCloud Conversational Forms for ChatBot conversational-forms allows Stored XSS.This issue affects Conversational Forms for ChatBot: from n/a through = 1.4.2...

CVE-2023-22813

creationtimestamp| type| source ---|---|--- 2023-05-09 02:37:55+00:00| seen| https://t.me/cibsecurity/63528...

CVE-2023-22813 Device API endpoint missing access controls on Western Digital Mobile and Web Apps

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS...

CVE-2023-22813

The CVE-2023-22813 entry describes a vulnerability in Western Digital My Cloud OS 5 and related apps (My Cloud OS 5 Mobile/Web, My Cloud Home Mobile/Web, ibi Mobile/Web, SanDisk ibi) where a device API endpoint lacks access controls due to a permissive CORS policy and no authentication for privat...

CVE-2022-22813

creationtimestamp| type| source ---|---|--- 2022-02-10 02:29:27+00:00| seen| https://t.me/cibsecurity/37212...

CVE-2022-22813

A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration...

CVE-2022-22813

A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration...

CVE-2022-22813

CVE-2022-22813 describes a CWE-798 hard-coded credentials issue in Schneider Electric Easergy P40 devices, where if an attacker obtains the TLS cryptographic key and takes control of the Courier tunneling/communication network, they could observe and manipulate product configuration traffic. Affe...

CVE-2021-22813

creationtimestamp| type| source ---|---|--- 2022-01-28 22:28:18+00:00| seen| https://t.me/cibsecurity/36512...

CVE-2021-22813

CVE-2021-22813 is a Cross‑Site Scripting (CWE-79) vulnerability affecting Schneider Electric NMC/NMC2/NMC3 devices across UPS, PDU, and related network cards. A privileged user can trigger arbitrary script execution by clicking a malicious URL referencing an edit policy file. The connected docume...