Security: nick-pape/grackle
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
Fail-open authorization in the MCP tool layer lets scoped agents perform cross-task and cross-session mutations (IDOR)GHSA-f9ff-5x35-7gfw published
May 29, 2026 by nick-papeHigh -
Command/argument injection in the git worktree executor enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)GHSA-vv65-f55v-xm6g published
May 29, 2026 by nick-papeHigh -
L-5: JSON.parse Without try-catch in gRPC Service AdapterConfig HandlingGHSA-8g29-8xwr-qmhr published
Mar 22, 2026 by nick-papeLow -
L-4: Unescaped Error String in renderPairingPage() HTML TemplateGHSA-7q9x-8g6p-3x75 published
Mar 22, 2026 by nick-papeLow -
L-1: Missing Secure Flag on Session CookieGHSA-5j35-xr4g-vwf4 published
Mar 22, 2026 by nick-papeLow -
M-2: Missing Content-Security-Policy and X-Frame-Options HeadersGHSA-3mjm-x6gw-2x42 published
Mar 22, 2026 by nick-papeModerate -
M-1: PowerLine Runs Without Authentication by DefaultGHSA-xq7h-vwjp-5vrh published
Mar 22, 2026 by nick-papeModerate -
H-2: Missing WebSocket Origin Header ValidationGHSA-w3hv-x4fp-6h6j published
Mar 22, 2026 by nick-papeHigh -
H-1: Workspace Authorization Bypass in knowledge_search MCP ToolGHSA-647h-p824-99w7 published
Mar 22, 2026 by nick-papeHigh
Learn more about advisories related to nick-pape/grackle in the GitHub Advisory Database