Security: Jovancoding/Network-AI
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
** `ApprovalInbox` GET read routes remain unauthenticated and wildcard-CORS after the GHSA-mxjx-28vx-xjjj fix — queued high-risk action content disclosed even when a `secret` is setGHSA-m4jg-6w3q-gm86 published
Jul 5, 2026 by JovancodingHigh -
APSAdapter Default Local Verifier Accepts Any Non-Empty SignatureGHSA-3jf7-33vc-hgf4 published
Jul 5, 2026 by JovancodingHigh -
EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backupsGHSA-6x2m-p4xp-wg22 published
Jun 18, 2026 by JovancodingModerate -
EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment dataGHSA-48x2-6pr9-2jjf published
Jun 18, 2026 by JovancodingModerate -
Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruningGHSA-2fmp-9rvw-hc96 published
Jun 18, 2026 by JovancodingHigh -
AgentRuntime sandbox path-prefix checks allow file access outside the configured base directoryGHSA-jvcm-f35g-w78p published
Jun 18, 2026 by JovancodingModerate -
ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actionsGHSA-mxjx-28vx-xjjj published
Jun 18, 2026 by JovancodingModerate -
Improper Neutralization of Special Elements used in an OS Command in network-aiGHSA-qw6v-5fcf-5666 published
Jun 2, 2026 by JovancodingCritical -
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requestsGHSA-r78r-rwrf-rjwp published
May 23, 2026 by JovancodingCritical -
Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default SecretGHSA-j3vx-cx2r-pvg8 published
May 16, 2026 by JovancodingHigh