CVE-2026-22812

Exploit

EPSS 4.14%
Veröffentlicht 12.01.2026 22:49:18
Zuletzt bearbeitet 21.01.2026 15:14:59
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Anoma ≫ Opencode SwPlatform- Version < 1.0.216

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	4.14%	0.884

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-749 Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

CWE-942 Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-22812

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22812

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22812

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22812