-
Notifications
You must be signed in to change notification settings - Fork 5
Issues
is:issue state:open
is:issue state:open
Issue creation is restricted in this repository
Search results
[SECURITY][HIGH] data:text/html explicitly permitted in graphicUrl() — arbitrary JavaScript execution in Strom's headless Chromium (cefsrc)
bugSomething isn't workingSomething isn't workingready-for-devHuman-triaged — safe for autonomous agent pickupHuman-triaged — safe for autonomous agent pickupsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#70 In Eyevinn/open-live;[SECURITY][MEDIUM] log-redact.ts defines redactSensitive() and safeFlowProjection() but they are never imported — sensitive data logged in plaintext
bugSomething isn't workingSomething isn't workingready-for-devHuman-triaged — safe for autonomous agent pickupHuman-triaged — safe for autonomous agent pickupsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#69 In Eyevinn/open-live;[SECURITY][LOW] PipZone border.color has no hex color format validation — arbitrary string injected into Strom pipeline
bugSomething isn't workingSomething isn't workinggood-first-issueWell-scoped, beginner-friendlyWell-scoped, beginner-friendlyready-for-devHuman-triaged — safe for autonomous agent pickupHuman-triaged — safe for autonomous agent pickupsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#68 In Eyevinn/open-live;[SECURITY][MEDIUM] WebSocket SET_TRANSITION accepts arbitrary free-form transitionType string — no allowlist enforced
bugSomething isn't workingSomething isn't workinggood-first-issueWell-scoped, beginner-friendlyWell-scoped, beginner-friendlyready-for-devHuman-triaged — safe for autonomous agent pickupHuman-triaged — safe for autonomous agent pickupsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#67 In Eyevinn/open-live;[SECURITY][MEDIUM] WebSocket SET_EFFECT uses Zod .passthrough() — arbitrary attacker-controlled fields forwarded to Strom API
bugSomething isn't workingSomething isn't workinggood-first-issueWell-scoped, beginner-friendlyWell-scoped, beginner-friendlyready-for-devHuman-triaged — safe for autonomous agent pickupHuman-triaged — safe for autonomous agent pickupsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#66 In Eyevinn/open-live;[SECURITY][HIGH] httpUrlOnly() has no private IP blocklist — SSRF to internal infrastructure via graphic/HTML source URLs
bugSomething isn't workingSomething isn't workingready-for-devHuman-triaged — safe for autonomous agent pickupHuman-triaged — safe for autonomous agent pickupsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#65 In Eyevinn/open-live;[SECURITY][LOW] safeSelector() Mango injection guard defined but never called — dead-code safety net
bugSomething isn't workingSomething isn't workingsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#64 In Eyevinn/open-live;[SECURITY][LOW] No pnpm audit step in CI — supply chain vulnerabilities not auto-detected
bugSomething isn't workingSomething isn't workingsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#63 In Eyevinn/open-live;[SECURITY][HIGH] CouchDB admin port 5984 bound to 0.0.0.0 in docker-compose — admin API exposed to network
bugSomething isn't workingSomething isn't workingsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#62 In Eyevinn/open-live;[SECURITY][MEDIUM] dskInput in graphic assignments lacks regex validation — arbitrary strings reach Strom flow link topology
bugSomething isn't workingSomething isn't workingsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#61 In Eyevinn/open-live;[SECURITY][MEDIUM] Unvalidated production values (pgm_resolution, pgm_framerate) forwarded raw to Strom block properties
bugSomething isn't workingSomething isn't workingsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#60 In Eyevinn/open-live;[SECURITY][MEDIUM] Unauthenticated POST /api/v1/reconnect leaks infrastructure status even when API_KEY is set
bugSomething isn't workingSomething isn't workingsecuritySecurity vulnerabilitySecurity vulnerabilitytriagedIssue has been reviewed and categorisedIssue has been reviewed and categorisedStatus: Open.#59 In Eyevinn/open-live;