← Scan another repo

github.com/raye-deng/open-code-review

Submitted 6/10/2026, 4:52:33 PM · Status: ok

Risk grade
F
100 / 100
Findings
153
1 critical44 high105 medium2 low1 info0 on CISA KEV0ATT&CK
Showing 153 of 153 findings

Findings

  • When Vitest UI server is listening, arbitrary file can be read and executed
    grypeCVE-2026-47429
  • Detected aws-access-token: Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms
    Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.
    gitleaks
  • Detected aws-access-token: Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms
    Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.
    gitleaks
  • Detected aws-access-token: Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms
    Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected github-pat: Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure
    Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.
    gitleaks
  • Detected github-pat: Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure
    Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.
    gitleaks
  • Detected slack-bot-token: Identified a Slack Bot token, which may compromise bot integrations and communication channel security
    Identified a Slack Bot token, which may compromise bot integrations and communication channel security.
    gitleaks
  • Detected slack-bot-token: Identified a Slack Bot token, which may compromise bot integrations and communication channel security
    Identified a Slack Bot token, which may compromise bot integrations and communication channel security.
    gitleaks
  • Detected stripe-access-token: Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data
    Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
    gitleaks
  • Detected stripe-access-token: Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data
    Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
    gitleaks
  • Detected stripe-access-token: Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data
    Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
    gitleaks
  • Detected stripe-access-token: Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data
    Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
    gitleaks
  • defu: Prototype pollution via `__proto__` key in defaults argument
    grypeCVE-2026-35209EPSS 0.0%
  • fast-uri vulnerable to host confusion via percent-encoded authority delimiters
    grypeCVE-2026-6322EPSS 0.0%
  • fast-uri vulnerable to path traversal via percent-encoded dot segments
    grypeCVE-2026-6321EPSS 0.1%
  • flatted vulnerable to unbounded recursion DoS in parse() revive phase
    grypeCVE-2026-32141EPSS 0.0%
  • path-to-regexp vulnerable to Denial of Service via sequential optional groups
    grypeCVE-2026-4926EPSS 0.0%
  • Prototype Pollution via parse() in NodeJS flatted
    grypeCVE-2026-33228EPSS 0.1%
  • Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
    grypeCVE-2026-1526EPSS 0.0%
  • Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
    grypeCVE-2026-2229EPSS 0.2%
  • Detected calls to child_process from a function argument `query`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ens
    Detected calls to child_process from a function argument `query`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
    semgreppackages/core/tests/v4/fixtures/demo-new-detections.ts:24
  • Detected calls to child_process from a function argument `userDir`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed e
    Detected calls to child_process from a function argument `userDir`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
    semgreppackages/core/tests/v4/fixtures/demo-new-detections.ts:19
  • Detected calls to child_process from a function argument `userDir`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed e
    Detected calls to child_process from a function argument `userDir`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
    semgreppackages/core/tests/v4/fixtures/demo-new-detections.ts:18
  • Generic API Key detected
    semgreppackages/core/tests/v4/l3-e2e.test.ts:423
  • Generic API Key detected
    semgreppackages/core/tests/v4/l3-e2e.test.ts:415
  • Generic API Key detected
    semgreppackages/core/tests/v4/l3-e2e.test.ts:161
  • Generic API Key detected
    semgreppackages/core/tests/v4/l3-e2e.test.ts:140
  • GitHub Token detected
    semgrepdemo-scan/demo-example-keys.js:34
  • The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality
    The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected…
    semgrepdemo-scan/deprecated-nodejs.js:25
  • The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality
    The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected…
    semgrepdemo-scan/deprecated-nodejs.js:21
  • fast-uri normalize() decoded percent-encoded authority delimiters insi ...
    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw…
    trivyCVE-2026-6322
  • fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies
    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize…
    trivyCVE-2026-6321
  • path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions
    Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Work…
    trivyCVE-2026-4926
  • undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter
    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d…
    trivyCVE-2026-2229
  • undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression
    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en…
    trivyCVE-2026-1526

This report is public.