Heuristic detection

Silent patches — security fixes without disclosure

Commits scored by structural heuristics, CWE fingerprint matching, and pattern analysis. Each entry represents a potential security fix that was merged without a corresponding advisory or CVE — the most dangerous class of vulnerability for downstream consumers.

598
Suspects detected
High score (≥ 60)
Fingerprint matches
Unique repos
Detection pipeline
GitHub Events ~500 commits/day Layer 1 Structural heuristics Layer 2 CWE fingerprint matching Layer 3 LLM review

Commits scored on file paths, code patterns, unsafe-to-safe replacements, and matched against 28 CWE signatures. Higher score = higher probability of unreported security fix.

Suspects
c1f74671 76.2 openssl/openssl
Commit message
Add valgrind CT support to ML-DSA
Primary suspect file
crypto/ml_dsa/ml_dsa_sample.c (file score: 15)
Detection signals
sec_file:crypto[._/] surgical +constant_time
2026-04-16 Viktor Dukhovni View commit ↗
c1f74671 76.2 openssl/openssl
Commit message
Add valgrind CT support to ML-DSA
Primary suspect file
crypto/ml_dsa/ml_dsa_sample.c (file score: 15)
Detection signals
sec_file:crypto[._/] surgical +constant_time
2026-04-16 Viktor Dukhovni View commit ↗
fc0a0ebd 66.2 django/django
Commit message
Formatted JavaScript files.
Primary suspect file
django/contrib/admin/static/admin/js/SelectBox.js (file score: 13)
Detection signals
-innerHTML = -function(
2026-04-19 Tom Carrick View commit ↗
34b661a9 65.0 hashicorp/consul
Commit message
Fixed XDS package to generate correct endpoints and cluster config for API Gateways when peered and updated the API Gateway updateHandler to propagate mesh gateway config to its upstreams. (#23454)
Primary suspect file
agent/xds/testdata/secrets/api-gateway-with-peers-mesh-mode-local-and-upstream-is-hostname.latest.golden (file score: 11)
Detection signals
sec_file:secrets?[._/] surgical +nonce
2026-04-22 Abhishek Yadav View commit ↗
f45bb996 62.5 openssl/openssl
Commit message
Precompute some helper objects in each SSL_CTX
Primary suspect file
ssl/ssl_lib.c (file score: 15)
Detection signals
sec_file:ssl[._/] moderate +hmac -md5 -sha1 swap:\bMD5\b→\bSHA256\b swap:\bSHA1\b→\bSHA256\b
2026-04-07 Viktor Dukhovni View commit ↗
f45bb996 62.5 openssl/openssl
Commit message
Precompute some helper objects in each SSL_CTX
Primary suspect file
ssl/ssl_lib.c (file score: 15)
Detection signals
sec_file:ssl[._/] moderate +hmac -md5 -sha1 swap:\bMD5\b→\bSHA256\b swap:\bSHA1\b→\bSHA256\b
2026-04-07 Viktor Dukhovni View commit ↗
62175c7c 55.0 WWBN/AVideo
Commit message
fix: Update cookie handling to use avideoCookieOptions for consistency and security
Primary suspect file
view/theme.css.php (file score: 11)
Detection signals
surgical +httponly +samesite
2026-04-13 Daniel Neto View commit ↗
6d339d6a 55.0 lobehub/lobe-chat
Commit message
🐛 fix(agent-runtime): sanitize invalid tool_call arguments to unbreak strict providers (#14033)
Primary suspect file
packages/utils/src/sanitizeToolCallArguments.ts (file score: 10)
Detection signals
sec_file:sanitiz moderate +sanitizeToolCallArguments
2026-04-22 Arvin Xu View commit ↗
aba87285 52.5 go-gitea/gitea
Commit message
Remove dead code identified by `deadcode` tool (#37271)
Primary suspect file
models/system/notice.go (file score: 9)
Detection signals
surgical -Sprintf(
2026-04-20 silverwind View commit ↗
fc72fdcd 52.5 gravitational/teleport
Commit message
Update tests to inject modules instead of relying on modulestest.SetTestModules (#65976)
Primary suspect file
lib/auth/grpcserver.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-22 rosstimothy View commit ↗
99706987 51.2 mongodb/mongo
Commit message
SERVER-116329 Rename FLE2 prefixPreview to prefix and suffixPreview to suffix (v2) (#51600)
Primary suspect file
src/mongo/crypto/encryption_fields.idl (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-13 Owen Chen View commit ↗
aee6628b 51.2 go-gitea/gitea
Commit message
Fix URL related escaping for oauth2 (#37334)
Primary suspect file
models/auth/oauth2.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-21 wxiaoguang View commit ↗
9e876e09 50.0 openssl/openssl
Commit message
Rename ossl_asn1_string_set_bits_left to something more expressive
Primary suspect file
crypto/asn1/a_bitstr.c (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-06 Norbert Pocs View commit ↗
9e876e09 50.0 openssl/openssl
Commit message
Rename ossl_asn1_string_set_bits_left to something more expressive
Primary suspect file
crypto/asn1/a_bitstr.c (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-06 Norbert Pocs View commit ↗
4811b10d 50.0 casdoor/casdoor
Commit message
feat: improve MFA page UI
Primary suspect file
web/src/auth/MfaSetupPage.js (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-13 Yang Luo View commit ↗
4860cf3c 50.0 gravitational/teleport
Commit message
Add `DelegationSessionService.GenerateCerts` RPC (#64897)
Primary suspect file
lib/auth/accesspoint/accesspoint.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-14 Dan Upton View commit ↗
6966d366 50.0 lobehub/lobe-chat
Commit message
🐛 fix(userMemories): should trim way too long bm25 (#13744)
Primary suspect file
packages/database/src/models/userMemory/activity.ts (file score: 8)
Detection signals
surgical +sanitizeBm25Query
2026-04-13 Neko View commit ↗
281c1dc9 50.0 apache/cassandra
Commit message
Enable IAuthenticator to declare supported and alterable role options
Primary suspect file
src/java/org/apache/cassandra/auth/AuthConfig.java (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2025-10-14 Joel Shepherd View commit ↗
cfa9901b 50.0 gravitational/teleport
Commit message
Beams service dependencies (#65524)
Primary suspect file
lib/auth/accesspoint/accesspoint.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-15 Dan Upton View commit ↗
8313e239 50.0 google/boringssl
Commit message
Clear unused bits in ASN1_STRING_set/set0
Primary suspect file
crypto/asn1/asn1_lib.cc (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-13 David Benjamin View commit ↗
c1c5c039 50.0 gravitational/teleport
Commit message
Stop consuming global modules in auth packages (#65883)
Primary suspect file
lib/auth/auth.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-20 rosstimothy View commit ↗
48e80466 50.0 gravitational/teleport
Commit message
Add LinuxDesktop gRPC and backend (#62974)
Primary suspect file
lib/auth/accesspoint/accesspoint.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-21 Przemko Robakowski View commit ↗
c796ed1a 50.0 openjdk/jdk
Commit message
Merge
Primary suspect file
src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java (file score: 11)
Detection signals
sec_file:crypto[._/] moderate +SecureRandom
2026-04-22 Jaikiran Pai View commit ↗
ace8fec5 50.0 aws/aws-sdk-js-v3
Commit message
feat(client-bedrock-agentcore-control): Adds support for Amazon Bedrock AgentCore Harness control plane APIs, enabling customers to create, manage, and configure managed agent loops with customizable
Primary suspect file
clients/client-bedrock-agentcore-control/src/commands/CreateOauth2CredentialProviderCommand.ts (file score: 8)
Detection signals
sec_file:credential surgical
2026-04-22 awstools View commit ↗
3bcfbbe9 48.8 redis/redis
Commit message
Add new OBJ_GCRA type (#14905)
Primary suspect file
src/acl.c (file score: 11)
Detection signals
sec_file:acl[._/] surgical +ratelimit
2026-04-15 Mincho Paskalev View commit ↗
e9a30f11 48.8 keycloak/keycloak
Commit message
Initial support for OAuth 2.0 Attestation-based client authentication (#47962)
Primary suspect file
core/src/main/java/org/keycloak/jose/jws/crypto/RSAProvider.java (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-20 Thomas Diesler View commit ↗
459b2cb2 47.5 quarkusio/quarkus
Commit message
Log security event related to Let's Encrypt
Primary suspect file
extensions/tls-registry/cli/src/main/java/io/quarkus/tls/cli/letsencrypt/AcmeClient.java (file score: 9)
Detection signals
sec_file:encrypt moderate +Rate limit
2026-04-12 Clement Escoffier View commit ↗
df601489 47.5 curl/curl
Commit message
clang-tidy: enable more checks, fix fallouts
Primary suspect file
lib/vauth/ntlm.c (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-03-03 Viktor Szakats View commit ↗
82bfde2a 47.5 go-gitea/gitea
Commit message
Use Content-Security-Policy: script nonce (#37232)
Primary suspect file
templates/user/auth/captcha.tmpl (file score: 11)
Detection signals
sec_file:auth[._/] surgical +nonce
2026-04-15 wxiaoguang View commit ↗
1e7abe08 47.5 gravitational/teleport
Commit message
Support username in role templates and expressions (#64888)
Primary suspect file
lib/auth/auth.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-15 Dan Upton View commit ↗
c29a34cd 47.5 nodejs/node
Commit message
crypto: add JWK support for ML-KEM and SLH-DSA key types
Primary suspect file
benchmark/crypto/kem.js (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-21 Filip Skokan View commit ↗
4572872a 46.2 marimo-team/marimo
Commit message
fix: use shared memory for virtual files when running with app isolation (#9181)
Primary suspect file
marimo/_pyodide/pyodide_session.py (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-14 Akshay Agrawal View commit ↗
31fb778a 46.2 hashicorp/vault
Commit message
[UI] VAULT-42756 - Secret sync WIF implementation (#14001) (#14167)
Primary suspect file
ui/lib/sync/addon/components/secrets/page/destinations.ts (file score: 8)
Detection signals
sec_file:secrets?[._/] surgical
2026-04-22 Vault Automation View commit ↗
df0bcba2 45.7 PROTOTYPE_POLLUTION→OVERRIDE hashicorp/consul
Commit message
Addition of json omitempty for ACLToken name field and its related structs (#23484)
Primary suspect file
agent/structs/acl.go (file score: 7)
Detection signals
sec_file:acl[._/] surgical
2026-04-22 P Ajay Rao View commit ↗
a54baeb1 45.0 ory/hydra
Commit message
fix: add governs automation for terraform provider codegen
Primary suspect file
internal/httpclient/model_accept_o_auth2_login_request.go (file score: 8)
Detection signals
sec_file:login[._/] surgical
2026-04-14 Kevin View commit ↗
edabc9f8 45.0 gravitational/teleport
Commit message
MWI Scopes[4]: Scoped bot joining and bound keypair support (#65366)
Primary suspect file
lib/auth/auth_with_roles.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-16 Tim Buckley View commit ↗
b73c2008 45.0 authelia/authelia
Commit message
ci: add goimports-reviser linter (#11841)
Primary suspect file
internal/suites/suites_credentials.go (file score: 8)
Detection signals
sec_file:credential surgical
2026-04-20 Amir Zarrinkafsh View commit ↗
91caa689 45.0 gravitational/teleport
Commit message
Enforce join token locks for agents (#65818)
Primary suspect file
lib/auth/auth.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-20 Tim Buckley View commit ↗
e8c4a764 44.2 WEAK_CRYPTO aws/aws-sdk-js-v3
Commit message
feat(client-s3-control): This release adds support for five additional checksum algorithms for data integrity checking in Amazon S3 - MD5, SHA-512, XXHash3, XXHash64, and XXHash128.
Primary suspect file
clients/client-s3-control/src/commands/CreateJobCommand.ts (file score: 15)
Detection signals
surgical -MD5 -SHA1 swap:\bMD5\b→\bSHA256\b swap:\bSHA1\b→\bSHA256\b
2026-04-22 awstools View commit ↗
593bfdd9 43.8 logto-io/logto
Commit message
feat(account): add stable CSS class names for custom CSS targeting (#8629)
Primary suspect file
packages/account/src/pages/Security/DeleteAccountSection/index.tsx (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-13 wangsijie View commit ↗
70a190a2 43.8 hashicorp/consul
Commit message
ACL token name using auth method token name format (#23444)
Primary suspect file
agent/config/testdata/TestRuntimeConfig_Sanitize.golden (file score: 7)
Detection signals
sec_file:sanitiz surgical
2026-04-13 P Ajay Rao View commit ↗
6e322ef3 43.8 elastic/elasticsearch
Commit message
Remove XPackLicenseState from DLS/FLS (#146093)
Primary suspect file
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-13 Elliot Barlas View commit ↗
383ff8c6 43.8 php/php-src
Commit message
ext/session: improve parsing of session.cookie_lifetime (#21704)
Primary suspect file
ext/session/session.c (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-20 Jorg Adam Sowa View commit ↗
7cd10329 43.8 keycloak/keycloak
Commit message
A User belonging to multiple organization should be allowed to change his organization choice during login (#48165)
Primary suspect file
services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java (file score: 8)
Detection signals
sec_file:login[._/] surgical
2026-04-21 Vlasta Ramik View commit ↗
1ee309ea 43.8 dotnet/runtime
Commit message
[naot] [Runtime async] Support for covariant override of Task -> Task<T> (#126768)
Primary suspect file
src/coreclr/nativeaot/System.Private.CoreLib/src/Internal/Runtime/CompilerServices/MethodNameAndSignature.cs (file score: 7)
Detection signals
sec_file:private[._/] surgical
2026-04-21 Eduardo Velarde View commit ↗
770e62e5 42.5 dotnet/runtime
Commit message
Remove deprecated OpenSSL RSA APIs (#126034)
Primary suspect file
src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-13 Pranav Senthilnathan View commit ↗
e9f10719 42.5 NVIDIA/OpenShell
Commit message
fix(security): harden sandbox SSH with mandatory HMAC secret, NetworkPolicy, and nonce replay detection (#127)
Primary suspect file
deploy/docker/cluster-entrypoint.sh (file score: 11)
Detection signals
surgical +HMAC
2026-03-05 John T. Myers View commit ↗
f083ac3f 42.5 laravel/framework
Commit message
Normalize Carbon (#59750)
Primary suspect file
tests/Integration/Http/RequestDurationThresholdTest.php (file score: 10)
Detection signals
surgical -function (
2026-04-18 Lucas Michot View commit ↗
3d51a578 40.0 google/boringssl
Commit message
Raw Public Keys: Process and verify received RPKs
Primary suspect file
crypto/err/ssl.errordata (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-02-20 Lily Chen View commit ↗
2410cf40 40.0 pnpm/pnpm
Commit message
feat: add pnpm docs command and home alias (#11244)
Primary suspect file
auth/commands/src/login.ts (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-14 Alessio Attilio View commit ↗
458f3077 40.0 google/boringssl
Commit message
Remove an unused label and dead code from chacha20_poly1305_armv8.pl
Primary suspect file
crypto/cipher/asm/chacha20_poly1305_armv8.pl (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-20 David Benjamin View commit ↗
ac0a7e60 40.0 denoland/deno
Commit message
fix(ext/node): improve node:tls compat (validation, pipes, JS streams) (#33331)
Primary suspect file
tests/node_compat/config.jsonc (file score: 9)
Detection signals
sec_file:config[._/] surgical +forbidden
2026-04-20 Bartek Iwańczuk View commit ↗
ac0a7e60 40.0 denoland/deno
Commit message
fix(ext/node): improve node:tls compat (validation, pipes, JS streams) (#33331)
Primary suspect file
tests/node_compat/config.jsonc (file score: 9)
Detection signals
sec_file:config[._/] surgical +forbidden
2026-04-20 Bartek Iwańczuk View commit ↗
720b899b 40.0 keycloak/keycloak
Commit message
Add a title atttribute for the freemarker templates (#48276)
Primary suspect file
services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java (file score: 8)
Detection signals
sec_file:login[._/] surgical
2026-04-21 Ricardo Martin View commit ↗
a435a363 40.0 mongodb/mongo
Commit message
SERVER-124254 Add stub _shardsvrReshardDonorCriticalSectionStarted (#52273)
Primary suspect file
jstests/auth/internal_command_auth_validation.js (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-22 Brett Nawrocki View commit ↗
f6843e9f 38.8 google/boringssl
Commit message
Set IWYU pragmas for prefix_symbols.h and friends.
Primary suspect file
crypto/internal.h (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-07 Rudolf Polzer View commit ↗
bbcaed2e 38.8 NVIDIA/OpenShell
Commit message
refactor(proto): rename UpdateSettings to UpdateConfig for consistency with read path (#515)
Primary suspect file
crates/openshell-server/tests/auth_endpoint_integration.rs (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-03-20 John T. Myers View commit ↗
168e92c6 38.8 google/boringssl
Commit message
Add #includes missing from RPK implementation
Primary suspect file
ssl/ssl_session.cc (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-15 Lily Chen View commit ↗
4203e32d 38.8 lobehub/lobe-chat
Commit message
♻️ refactor: createAgent uses `agentModel.create` directly (#13871)
Primary suspect file
packages/database/src/models/session.ts (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-16 Arvin Xu View commit ↗
6f82234f 38.8 dotnet/runtime
Commit message
Reapply "Inline CORINFO_HELP_ARRADDR_ST helper call, remove WriteBarr… …ier FCall" (#126530) (#126547)
Primary suspect file
src/coreclr/System.Private.CoreLib/src/System/Array.CoreCLR.cs (file score: 7)
Detection signals
sec_file:private[._/] surgical
2026-04-18 Egor Bogatov View commit ↗
2dc239f1 38.8 logto-io/logto
Commit message
fix(account): restore security page desktop value alignment (#8677)
Primary suspect file
packages/account/src/pages/Security/UsernameSection/index.module.scss (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-20 wangsijie View commit ↗
6e70a8c2 38.8 dotnet/runtime
Commit message
JIT: Avoid resolving def-use conflicts by changing use registers (#125333)
Primary suspect file
src/coreclr/jit/codegenxarch.cpp (file score: 9)
Detection signals
surgical -assert(
2026-04-19 Jakob Botsch Nielsen View commit ↗
75559c73 38.8 ory/kratos
Commit message
fix: restore continuity container for native OIDC flows with incomplete data
Primary suspect file
selfservice/strategy/password/settings.go (file score: 8)
Detection signals
sec_file:password[._/] surgical
2026-04-22 Jonas Hungershausen View commit ↗
c0be1447 38.8 astral-sh/ruff
Commit message
[ty] Fix notifications about watched changes for entities outside any workspace (#24775)
Primary suspect file
crates/ty_project/src/db/changes.rs (file score: 8)
Detection signals
moderate -system(
2026-04-22 Tomasz Kramkowski View commit ↗
74f16e15 37.5 laravel/framework
Commit message
[13.x] Add enum support to AuthManager guard and shouldUse methods (#59646)
Primary suspect file
src/Illuminate/Auth/AuthManager.php (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-12 yousef kadah View commit ↗
f8877ba1 37.5 google/boringssl
Commit message
Raw Public Keys: Store peer cert type and RPK in SSL_SESSION
Primary suspect file
include/openssl/prefix_symbols.h (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-02-20 Lily Chen View commit ↗
58645e46 37.5 google/boringssl
Commit message
Turn SSL_CREDENTIAL into a namespaced opaque struct
Primary suspect file
ssl/extensions.cc (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-15 David Benjamin View commit ↗
f7d0a4be 37.5 mongodb/mongo
Commit message
SERVER-122849 Rename 'preventWrites' to 'blockReplicaSetWrites' (#50744)
Primary suspect file
jstests/auth/lib/commands_lib.js (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-15 Anna Maria Nestorov View commit ↗
9e0833c3 37.5 pnpm/pnpm
Commit message
feat: add minimumReleaseAgeIgnoreMissingTime setting (#11293)
Primary suspect file
config/reader/src/Config.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-18 Zoltan Kochan View commit ↗
a0471d59 37.5 lobehub/lobe-chat
Commit message
✨ feat(chat-input): branch ahead/behind badge + GitCtr refactor (#13980)
Primary suspect file
src/features/ChatInput/RuntimeConfig/BranchSwitcher.tsx (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-19 Arvin Xu View commit ↗
6cfb75b2 37.5 mongodb/mongo
Commit message
SERVER-100156 Remove changePrimary command (#50732)
Primary suspect file
jstests/auth/internal_command_auth_validation.js (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-21 Daniele Alessandrelli View commit ↗
0533de0a 37.5 envoyproxy/envoy
Commit message
openssl: Add more compat functions (#44561)
Primary suspect file
compat/openssl/BUILD (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-21 Jonh Wendell View commit ↗
74f14b1c 37.5 grafana/grafana
Commit message
Datasources: Finish decoupling mssql, tempo, and graphite - frontend changes (#119106)
Primary suspect file
eslint.config.js (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Nathan Vērzemnieks View commit ↗
cb07ac65 37.5 gravitational/teleport
Commit message
Remove unused DeleteAllProxies RPC/Method (#65969)
Primary suspect file
lib/auth/apiserver.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-22 Noah Stride View commit ↗
ad269edd 36.2 apache/airflow
Commit message
Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance (#64955)
Primary suspect file
airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py (file score: 15)
Detection signals
sec_file:auth[._/] surgical +httponly +samesite
2026-04-13 Daniel Wolf View commit ↗
13560136 36.2 keycloak/keycloak
Commit message
Introduce manage-organizations, view-organizations admin roles for Organization management
Primary suspect file
server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java (file score: 7)
Detection signals
sec_file:private[._/] surgical
2026-03-18 vramik View commit ↗
1057bccd 36.2 elastic/elasticsearch
Commit message
Entitlement: hierarchy-aware instrumentation for subtype classes (#144674)
Primary suspect file
libs/entitlement/src/main/java/org/elasticsearch/entitlement/config/FileStoreInstrumentation.java (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Mark Vieira View commit ↗
d981dbfd 36.2 semgrep/semgrep
Commit message
chore: bump cmdliner to 2.x (semgrep/semgrep-proprietary#6098)
Primary suspect file
src/spacegrep/src/bin/Spacecat_main.ml (file score: 10)
Detection signals
surgical -eval (
2026-04-20 Nathan Taylor View commit ↗
d981dbfd 36.2 returntocorp/semgrep
Commit message
chore: bump cmdliner to 2.x (semgrep/semgrep-proprietary#6098)
Primary suspect file
src/spacegrep/src/bin/Spacecat_main.ml (file score: 10)
Detection signals
surgical -eval (
2026-04-20 Nathan Taylor View commit ↗
0c22f7bb 35.3 UNCLASSIFIED laravel/framework
Commit message
[13.x] testsuite (#59702)
Primary suspect file
tests/Auth/AuthGuardTest.php (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-15 Lucas Michot View commit ↗
40dbb06f 35.0 freebsd/freebsd-src
Commit message
inpcb: retire INP_DROPPED and in_pcbdrop()
Primary suspect file
sys/dev/cxgbe/crypto/t6_kern_tls.c (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-12 Gleb Smirnoff View commit ↗
de5330c5 35.0 rabbitmq/rabbitmq-server
Commit message
`rabbitmq_auth_backend_cache`: delegate `expiry_timestamp/1` and `update_state/2`
Primary suspect file
deps/rabbitmq_auth_backend_cache/src/rabbit_auth_backend_cache_app.erl (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-14 Michael Klishin View commit ↗
f92923e0 35.0 NVIDIA/OpenShell
Commit message
docs(fern): finalize preview workflow and nav cleanup (#784)
Primary suspect file
fern/pages/reference/gateway-auth.mdx (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-09 Piotr Mlocek View commit ↗
fc8f069c 35.0 hashicorp/consul
Commit message
update: go version to 1.26.2 (#23394)
Primary suspect file
command/acl/templatedpolicy/formatter.go (file score: 7)
Detection signals
sec_file:acl[._/] surgical
2026-04-15 Sreeram Narayanan View commit ↗
0b95c427 35.0 gravitational/teleport
Commit message
Remove unused DeleteAllTunnelConnections & DeleteTunnelConnections RPCs (#65932)
Primary suspect file
lib/auth/auth_with_roles.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-20 Noah Stride View commit ↗
98aaf210 35.0 ory/kratos
Commit message
feat: carry over upstream OIDC acr/amr to session AAL
Primary suspect file
selfservice/strategy/oidc/provider_config.go (file score: 8)
Detection signals
sec_file:config[._/] moderate +allowlist
2026-04-21 Henning Perl View commit ↗
4f1dedbe 35.0 gravitational/teleport
Commit message
Add APIs for handling Entra ID groups overage on SAML connectors (#65653)
Primary suspect file
web/packages/teleport/src/Login/LoginFailed.tsx (file score: 8)
Detection signals
sec_file:login[._/] surgical
2026-04-21 nixpig View commit ↗
bcba3246 34.1 MISSING_AUTHZ→RESOURCE WWBN/AVideo
Commit message
fix: Enhance duration validation and output encoding to prevent XSS vulnerabilities
Primary suspect file
view/include/playlist.php (file score: 9)
Detection signals
surgical +htmlspecialchars
2026-04-13 Daniel Neto View commit ↗
7a78af51 33.8 quarkusio/quarkus
Commit message
Move TransactionalInterceptorBase and related classes to the .runtime package
Primary suspect file
extensions/narayana-jta/runtime/src/main/java/io/quarkus/narayana/jta/runtime/interceptor/TransactionalInterceptorBase.java (file score: 5)
Detection signals
sec_file:intercept surgical
2026-04-09 Yoann Rodière View commit ↗
6dd6b2cb 33.8 mongodb/mongo
Commit message
Import wiredtiger: eba1b61fb29643459253a251d69e335d604b693e from branch mongodb-master (#51772)
Primary suspect file
src/third_party/wiredtiger/src/session/session_api.c (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-14 Ivan Kochin View commit ↗
15d9bdec 33.8 envoyproxy/envoy
Commit message
feat: ability to set status for destination not found in stateful session (#44210)
Primary suspect file
api/envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-14 Rudrakh Panigrahi View commit ↗
f906ba7b 33.8 gravitational/teleport
Commit message
sessionsearch[3]: wire summarizer resources into the cache layer (#64560)
Primary suspect file
lib/auth/accesspoint/accesspoint.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-13 Tiago Silva View commit ↗
53b7ce71 33.8 NVIDIA/OpenShell
Commit message
fix(core): harden file permissions for user config directory (#328)
Primary suspect file
crates/openshell-bootstrap/src/mtls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-03-15 Drew Newberry View commit ↗
90990141 33.8 NVIDIA/OpenShell
Commit message
fix(cli): improve sandbox provisioning progress indicator (#221)
Primary suspect file
crates/navigator-cli/src/auth.rs (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-03-11 Drew Newberry View commit ↗
437507d1 33.8 pyca/cryptography
Commit message
MLKEM-768 with AWS-LC (#14598)
Primary suspect file
src/cryptography/hazmat/backends/openssl/backend.py (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-15 dm View commit ↗
bcffdcbf 33.8 gravitational/teleport
Commit message
session-helper: move the sftp subcommand to reexec.RunAndExit (#65392)
Primary suspect file
session/sftputils/local.go (file score: 10)
Detection signals
sec_file:session[._/] moderate +RealPath
2026-04-15 Edoardo Spadolini View commit ↗
f757de83 33.8 golang/go
Commit message
go/types, types2: improve type inference for assignment contexts
Primary suspect file
src/cmd/compile/internal/types2/expr.go (file score: 9)
Detection signals
surgical -assert(
2026-01-27 Mark Freeman View commit ↗
f757de83 33.8 golang/go
Commit message
go/types, types2: improve type inference for assignment contexts
Primary suspect file
src/cmd/compile/internal/types2/expr.go (file score: 9)
Detection signals
surgical -assert(
2026-01-27 Mark Freeman View commit ↗
ccc606ed 33.8 pnpm/pnpm
Commit message
feat: pnpm agent — server-side resolution for faster installs (#11251)
Primary suspect file
config/reader/src/Config.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Zoltan Kochan View commit ↗
a323c345 33.8 logto-io/logto
Commit message
feat(core): support staged signing key rotation routes (#8679)
Primary suspect file
packages/core/src/libraries/logto-config.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-22 Charles Zhao View commit ↗
a4a29e9e 33.8 aws/aws-sdk-js-v3
Commit message
feat(client-ivs): Adds support for Amazon IVS server-side ad insertion
Primary suspect file
clients/client-ivs/src/commands/BatchGetChannelCommand.ts (file score: 7)
Detection signals
surgical +contentSecurityPolicy
2026-04-22 awstools View commit ↗
afdf925b 33.8 unjs/unhead
Commit message
chore: remove unused dependencies and exports (#746)
Primary suspect file
packages/react/build.config.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-22 Harlan Wilton View commit ↗
31d76ccb 33.8 lobehub/lobe-chat
Commit message
⬆️ chore: upgrade Vite to 8.0.0 (#12720)
Primary suspect file
vite.config.ts (file score: 11)
Detection signals
sec_file:config[._/] large_penalty +execFile +path.resolve
2026-04-22 Innei View commit ↗
70cdba10 32.5 openssl/openssl
Commit message
Add some crypto atomic pointer ops
Primary suspect file
include/openssl/crypto.h.in (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-01 Neil Horman View commit ↗
70cdba10 32.5 openssl/openssl
Commit message
Add some crypto atomic pointer ops
Primary suspect file
include/openssl/crypto.h.in (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-01 Neil Horman View commit ↗
531dad0c 32.5 openjdk/jdk
Commit message
8369917: LMS/HSS RFC 9858 Support
Primary suspect file
src/java.base/share/classes/sun/security/provider/DigestBase.java (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-13 Mark Powers View commit ↗
beafe3db 32.5 google/boringssl
Commit message
rust: bssl-tls: Introduce control over certificate stores and chains
Primary suspect file
rust/bssl-tls/src/io.rs (file score: 11)
Detection signals
sec_file:tls[._/] surgical +sanitize_slice
2026-03-24 Xiangfei Ding View commit ↗
eea495e6 32.5 NVIDIA/OpenShell
Commit message
fix: remediate 9 security findings from external audit (OS-15 through OS-23) (#744)
Primary suspect file
crates/openshell-server/src/auth.rs (file score: 10)
Detection signals
sec_file:auth[._/] large_penalty +CONTENT_SECURITY_POLICY +nonce
2026-04-03 John T. Myers View commit ↗
e8378490 32.5 NVIDIA/OpenShell
Commit message
feat(bootstrap): resume gateway from existing state and persist SSH handshake secret (#488)
Primary suspect file
crates/openshell-bootstrap/src/constants.rs (file score: 11)
Detection signals
surgical +HMAC
2026-04-02 Drew Newberry View commit ↗
7050ec97 32.5 gravitational/teleport
Commit message
terraform: Add `ui_config` resource to terraform provider (#65201)
Primary suspect file
integrations/terraform/provider/resource_teleport_auth_preference.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-15 Kevin View commit ↗
22aef0f0 32.5 rust-lang/rust
Commit message
Rollup merge of #155406 - alexcrichton:update-wasi-deps, r=Mark-Simulacrum
Primary suspect file
library/std/src/os/wasi/net/mod.rs (file score: 8)
Detection signals
surgical -unsafe {
2026-04-18 Jonathan Brouwer View commit ↗
7d5889a7 32.5 lobehub/lobe-chat
Commit message
✨ feat(heterogeneous-agent): git-aware runtime config + topic rename modal + inspectors (#13951)
Primary suspect file
packages/types/src/agent/agencyConfig.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-18 Arvin Xu View commit ↗
27c039d8 32.5 mongodb/mongo
Commit message
SERVER-123367 Handle auth for new fastcount oplog entries (#52165)
Primary suspect file
src/mongo/db/auth/action_type.idl (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-20 Parker Felix View commit ↗
a6d45528 32.5 NVIDIA/OpenShell
Commit message
feat(server,sandbox): supervisor-initiated SSH connect and exec over gRPC-multiplexed relay (#867)
Primary suspect file
crates/openshell-driver-kubernetes/src/config.rs (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Piotr Mlocek View commit ↗
72a0e5d1 31.2 casdoor/casdoor
Commit message
feat: fix shared application login for users from linked organizations
Primary suspect file
object/token_oauth.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-14 Yang Luo View commit ↗
f36678bc 31.2 cockroachdb/cockroach
Commit message
sql/stats: decouple canary_stats_mode from canary_fraction cluster setting (#168273)
Primary suspect file
pkg/sql/session_var_descriptions.go (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-13 trunk-io[bot] View commit ↗
59925458 31.2 cockroachdb/cockroach
Commit message
sql/stats: decouple canary_stats_mode from canary_fraction cluster setting
Primary suspect file
pkg/sql/session_var_descriptions.go (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-13 ZhouXing19 View commit ↗
dcebf75f 31.2 laravel/framework
Commit message
Flip misordered assertions arguments (#59691)
Primary suspect file
tests/Http/Middleware/TrustProxiesTest.php (file score: 5)
Detection signals
sec_file:middleware[._/] surgical
2026-04-14 Lucas Michot View commit ↗
50c5299e 31.2 timescale/timescaledb
Commit message
Remove dead process_hypertable_invalidations policy code
Primary suspect file
sql/policy_api.sql (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-14 Sven Klemm View commit ↗
89a6e04c 31.2 NVIDIA/OpenShell
Commit message
feat(providers): inject provider credentials into sandbox child processes at runtime (!26)
Primary suspect file
crates/navigator-cli/tests/mtls_integration.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-02-17 Drew Newberry View commit ↗
115d041c 31.2 mongodb/mongo
Commit message
SERVER-122486 SERVER-123719 Make createCollection commit authoritative (#49675)
Primary suspect file
jstests/auth/internal_command_auth_validation.js (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-15 Pol Piñol Castuera View commit ↗
241b8e1a 31.2 django/django
Commit message
Formatted CSS files.
Primary suspect file
django/contrib/admin/static/admin/css/login.css (file score: 8)
Detection signals
sec_file:login[._/] surgical
2026-04-18 Tom Carrick View commit ↗
7fe751ea 31.2 lobehub/lobe-chat
Commit message
✨ feat: billboard in sidebar (#13962)
Primary suspect file
packages/edge-config/src/index.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-18 Rdmclin2 View commit ↗
c960d480 31.2 NVIDIA/OpenShell
Commit message
fix(sandbox): canonicalize HTTP request-targets before L7 policy evaluation (#878)
Primary suspect file
crates/openshell-sandbox/data/sandbox-policy.rego (file score: 9)
Detection signals
sec_file:policy[._/] surgical +allowlist
2026-04-21 John T. Myers View commit ↗
7bba2205 31.2 dotnet/runtime
Commit message
Handle canonical types in casting logic (#127146)
Primary suspect file
src/coreclr/nativeaot/System.Private.TypeLoader/src/System.Private.TypeLoader.csproj (file score: 7)
Detection signals
sec_file:private[._/] surgical
2026-04-21 Michal Strehovský View commit ↗
caff989f 31.2 go-gitea/gitea
Commit message
Fix `relative-time` error and improve global error handler (#37241)
Primary suspect file
web_src/js/modules/errors.ts (file score: 14)
Detection signals
moderate -innerHTML = swap:\binnerHTML\b→\btextContent\b
2026-04-21 silverwind View commit ↗
17456f8c 31.2 trufflesecurity/trufflehog
Commit message
Revert "[INS-397] Fix git version parser panic on non-numeric patch versions …" (#4903)
Primary suspect file
pkg/gitcmd/gitcmd.go (file score: 7)
Detection signals
moderate -exec.Command
2026-04-21 trufflesteeeve View commit ↗
a28fe52c 31.2 dotnet/runtime
Commit message
[Wasm RyuJit] EH, Unwind, and unwindable frames (#127043)
Primary suspect file
src/coreclr/jit/fgwasm.h (file score: 9)
Detection signals
surgical -assert(
2026-04-23 Andy Ayers View commit ↗
c48000dc 31.2 mongodb/mongo
Commit message
SERVER-124993: Add bazel rules for resmoke's multiversion setup (#51648)
Primary suspect file
bazel/resmoke/resmoke_shim.py (file score: 11)
Detection signals
moderate +os.path.abspath +safe_load
2026-04-22 Sean Lyons View commit ↗
83bdfc2a 31.2 go-gitea/gitea
Commit message
Support for Custom URI Schemes in OAuth2 Redirect URIs (#37356)
Primary suspect file
modules/validation/binding.go (file score: 9)
Detection signals
sec_file:validat moderate -Sprintf(
2026-04-22 wxiaoguang View commit ↗
e8d89074 31.2 Azure/azure-sdk-for-python
Commit message
Replat azure-ai-agentserver-githubcopilot onto agentserver-core 2.0 + responses 1.0 (#46101)
Primary suspect file
sdk/agentserver/azure-ai-agentserver-githubcopilot/tests/integration/deploy.py (file score: 13)
Detection signals
moderate +subprocess.run -Popen(
2026-04-22 jodeklotzms View commit ↗
0c7ce348 30.0 aio-libs/aiohttp
Commit message
Allow decompression to continue after exceeding max_length (#11966)
Primary suspect file
aiohttp/compression_utils.py (file score: 5)
Detection signals
moderate +max_length +max size
2026-04-12 Sam Bull View commit ↗
e8da0e5b 30.0 redis/redis
Commit message
Fix brittle assert_match patterns for unexpected slowlog fields (#14948)
Primary suspect file
tests/unit/acl.tcl (file score: 7)
Detection signals
sec_file:acl[._/] surgical
2026-04-13 h.o.t. neglected View commit ↗
1744b6fc 30.0 grafana/grafana
Commit message
RBAC: Reject `*` resource name in resource permissions writes (#122425)
Primary suspect file
pkg/registry/apis/iam/resourcepermission/mapper.go (file score: 7)
Detection signals
sec_file:permission[._/] surgical
2026-04-13 Gabriel MABILLE View commit ↗
75695014 30.0 NVIDIA/OpenShell
Commit message
refactor(python): rename navigator module to openshell and migrate config to gateway paths (#220)
Primary suspect file
crates/navigator-cli/src/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-03-11 Drew Newberry View commit ↗
4a78865b 30.0 NVIDIA/OpenShell
Commit message
feat(ci): add CLI binary builds and snapshot release to publish workflow (#110)
Primary suspect file
crates/navigator-cli/tests/mtls_integration.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-03-05 Drew Newberry View commit ↗
835a0ad4 30.0 payloadcms/payload
Commit message
feat(next): add support for custom collection views (#16243)
Primary suspect file
packages/payload/src/collections/config/sanitize.spec.ts (file score: 7)
Detection signals
sec_file:sanitiz large_penalty +sanitize
2026-04-15 Paul View commit ↗
a7998cc9 30.0 FasterXML/jackson-databind
Commit message
Fix #5897: skip TokenBuffer allocation for unknown properties in records (#5907)
Primary suspect file
src/main/java/tools/jackson/databind/deser/bean/BeanDeserializer.java (file score: 6)
Detection signals
sec_file:deserializ surgical
2026-04-15 Viktor Szathmáry View commit ↗
b97e13cc 30.0 pallets/werkzeug
Commit message
move structured header parsing to class methods (#3116)
Primary suspect file
src/werkzeug/datastructures/auth.py (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-18 David Lord View commit ↗
81fa30a3 30.0 google/boringssl
Commit message
Add some missing #includes
Primary suspect file
ssl/ssl_credential.cc (file score: 8)
Detection signals
sec_file:credential surgical
2026-04-20 Lily Chen View commit ↗
396ebf22 30.0 gravitational/teleport
Commit message
sessionsearch[13]: Add telemetry for session summary searches with filters (#65772)
Primary suspect file
proto/prehog/v1alpha/teleport.proto (file score: 9)
Detection signals
moderate +HMAC
2026-04-20 Tiago Silva View commit ↗
13afb660 30.0 mongodb/mongo
Commit message
SERVER-124299 Disable sharding tests incompatible with persisted size/count (#52005)
Primary suspect file
jstests/sslSpecial/mixed_mode_sharded_nossl_part_1.js (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-21 Cedric Sirianni View commit ↗
8c67f913 30.0 google/boringssl
Commit message
rust: bssl-tls: Cope with upstream type inference regression
Primary suspect file
rust/bssl-tls/src/connection.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-04-22 Xiangfei Ding View commit ↗
858e69ea 30.0 python/cpython
Commit message
gh-142186: Allow all PEP-669 events to be per-code object and disableable (GH-146182)
Primary suspect file
Python/ceval.h (file score: 9)
Detection signals
surgical -assert(
2026-04-22 Gabriele N. Tornetta View commit ↗
e48bec8f 30.0 denoland/deno
Commit message
Revert "fix(ext/napi): implement real V8 handle scopes and callback scopes" (#33363)
Primary suspect file
ext/napi/js_native_api.rs (file score: 11)
Detection signals
-unsafe { -transmute
2026-04-22 Bartek Iwańczuk View commit ↗
e48bec8f 30.0 denoland/deno
Commit message
Revert "fix(ext/napi): implement real V8 handle scopes and callback scopes" (#33363)
Primary suspect file
ext/napi/js_native_api.rs (file score: 11)
Detection signals
-unsafe { -transmute
2026-04-22 Bartek Iwańczuk View commit ↗
c62d3799 29.5 NULL_DEREF drupal/drupal
Commit message
fix: #2954725 AccountInterface::getLastAccessedTime() implementors return incorrect data type
Primary suspect file
core/lib/Drupal/Core/Session/UserSession.php (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-20 godotislate View commit ↗
f522aa2b 29.3 PROTOTYPE_POLLUTION→OVERRIDE symfony/symfony
Commit message
bug #63983 [Security] Throw BadCredentialsException on empty JSON login username/password (ousamabenyounes)
Primary suspect file
src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php (file score: 13)
Detection signals
sec_file:security[._/] surgical -sprintf(
2026-04-18 Nicolas Grekas View commit ↗
dce79918 29.3 PROTOTYPE_POLLUTION→OVERRIDE symfony/symfony
Commit message
[Security] Throw BadCredentialsException on empty JSON login username/password
Primary suspect file
src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php (file score: 13)
Detection signals
sec_file:security[._/] surgical -sprintf(
2026-04-17 Ousama Ben Younes View commit ↗
76025599 28.7 laravel/framework
Commit message
Improve custom driver binding (#59614)
Primary suspect file
src/Illuminate/Auth/AuthManager.php (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-13 Ollie Read View commit ↗
91f7d4e7 28.7 openssl/openssl
Commit message
ppc64le: Optimized MLKEM NTT, supports p8 (ISA 2.07) and above architectures.
Primary suspect file
crypto/ml_kem/asm/mlkem_ppc_macros_asm.inc (file score: 11)
Detection signals
sec_file:crypto[._/] large_penalty +Constant-time
2026-04-07 Danny Tsen View commit ↗
91f7d4e7 28.7 openssl/openssl
Commit message
ppc64le: Optimized MLKEM NTT, supports p8 (ISA 2.07) and above architectures.
Primary suspect file
crypto/ml_kem/asm/mlkem_ppc_macros_asm.inc (file score: 11)
Detection signals
sec_file:crypto[._/] large_penalty +Constant-time
2026-04-07 Danny Tsen View commit ↗
cdb21c62 28.7 keycloak/keycloak
Commit message
fix(admin-ui): replace explicit `catch (error: any)` with proper types (#47397)
Primary suspect file
js/apps/admin-ui/src/identity-providers/add/AddSamlConnect.tsx (file score: 7)
Detection signals
sec_file:saml surgical
2026-04-13 Pierluigi Lenoci View commit ↗
7d1b042d 28.7 rust-lang/rust
Commit message
Rollup merge of #149357 - arielb1:enforce-partial-mitigations, r=rcvalle
Primary suspect file
compiler/rustc_session/src/config.rs (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-14 Jacob Pratt View commit ↗
2e962a54 28.7 haproxy/haproxy
Commit message
MEDIUM: otel: implemented filter callbacks and event dispatcher
Primary suspect file
addons/otel/include/conf.h (file score: 7)
Detection signals
surgical +rate-limit
2026-04-12 Miroslav Zagorac View commit ↗
479e44dd 28.7 googleapis/google-cloud-python
Commit message
fix(bigframes): Fix bugs compiling ambiguous ids and in subqueries (#16617)
Primary suspect file
packages/bigframes/bigframes/session/_io/bigquery/__init__.py (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-13 TrevorBergeron View commit ↗
227ed28e 28.7 ggerganov/llama.cpp
Commit message
webui: MCP Diagnostics improvements (#21803)
Primary suspect file
tools/server/webui/src/lib/utils/index.ts (file score: 8)
Detection signals
surgical +sanitizeHeaders
2026-04-13 Aleksander Grygier View commit ↗
ff526432 28.7 NVIDIA/OpenShell
Commit message
feat(sandbox): allow egress to private IP space via allowed_ips policy field (#60)
Primary suspect file
dev-sandbox-policy.rego (file score: 7)
Detection signals
sec_file:policy[._/] moderate +allowlist
2026-03-03 John T. Myers View commit ↗
1b6e77f3 28.7 laravel/framework
Commit message
[13.x] Enforce static calls (#59704)
Primary suspect file
src/Illuminate/Console/Scheduling/Event.php (file score: 6)
Detection signals
surgical -sha1
2026-04-15 Lucas Michot View commit ↗
670993a8 28.7 redis/redis
Commit message
Replace fast_float C++ library with pure C implementation (#14661)
Primary suspect file
src/Makefile (file score: 10)
Detection signals
surgical -sha1 swap:\bSHA1\b→\bSHA256\b
2026-04-15 Salvatore Sanfilippo View commit ↗
2299a06e 28.7 apache/kafka
Commit message
KAFKA-20297: Move AbstractIterator, CircularIterator, CloseableIterator... into internal (#22052)
Primary suspect file
jmh-benchmarks/src/main/java/org/apache/kafka/jmh/record/CompressedRecordBatchValidationBenchmark.java (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-15 Ken Huang View commit ↗
7357d7fd 28.7 npm/cli
Commit message
fix!: remove npm adduser command
Primary suspect file
lib/commands/adduser.js (file score: 8)
Detection signals
moderate -exec (
2026-02-26 Michael Smith View commit ↗
c1657771 28.7 rust-lang/rust
Commit message
Rollup merge of #155447 - JonathanBrouwer:simplify-parse-limited, r=mejrs
Primary suspect file
compiler/rustc_resolve/src/imports.rs (file score: 8)
Detection signals
moderate -eval(
2026-04-18 Jonathan Brouwer View commit ↗
faf4d92a 28.7 keycloak/keycloak
Commit message
[OID4VCI-HAIP] Pass oid4vci-1_0-issuer-happy-flow (encrypted) (#47674)
Primary suspect file
services/src/main/java/org/keycloak/crypto/CryptoUtils.java (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-21 Thomas Diesler View commit ↗
130d86d4 28.7 openiddict/openiddict-core
Commit message
Remove the Microsoft.Net.Http.Headers dependency
Primary suspect file
sandbox/OpenIddict.Sandbox.AspNet.Client/Web.config (file score: 7)
Detection signals
sec_file:web\.config surgical
2026-04-22 Kévin Chalet View commit ↗
531d5493 28.7 netdata/netdata
Commit message
refactor(go.d/dyncfg): split job-name validation per domain (#22247)
Primary suspect file
src/go/plugin/agent/secrets/secretstore/helpers.go (file score: 8)
Detection signals
sec_file:secrets?[._/] surgical
2026-04-22 Ilya Mashchenko View commit ↗
3cf9397a 28.2 PROTOTYPE_POLLUTION→OVERRIDE spring-projects/spring-security
Commit message
Polish HtmlTemplates
Primary suspect file
web/src/main/java/org/springframework/security/web/authentication/ui/HtmlTemplates.java (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-15 Josh Cummings View commit ↗
6bcb666a 27.9 UNCLASSIFIED go-gitea/gitea
Commit message
Refactor htmx and fetch-action related code (#37186)
Primary suspect file
modules/web/middleware/cookie.go (file score: 5)
Detection signals
sec_file:middleware[._/] surgical
2026-04-13 wxiaoguang View commit ↗
785e3b28 27.6 PROTOTYPE_POLLUTION→OVERRIDE aws/aws-sdk-js-v3
Commit message
fix(core): replace Object.entries with for-in loops in shape serde (#7940)
Primary suspect file
packages-internal/core/src/submodules/protocols/json/JsonShapeDeserializer.ts (file score: 6)
Detection signals
sec_file:deserializ surgical
2026-04-19 Trivikram Kamat View commit ↗
a3960e8f 27.5 laravel/framework
Commit message
Apply fixes from StyleCI
Primary suspect file
tests/Auth/AuthenticateMiddlewareTest.php (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-13 StyleCI Bot View commit ↗
c21f3423 27.5 symfony/symfony
Commit message
minor #63956 [WebProfilerBundle] Improve profiler pages accessibility semantics (Nitram1123)
Primary suspect file
src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-14 Nicolas Grekas View commit ↗
4ef3ffe3 27.5 symfony/symfony
Commit message
[WebProfilerBundle] Improve profiler pages accessibility semantics
Primary suspect file
src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-13 Martin GILBERT View commit ↗
d1418740 27.5 vercel/next.js
Commit message
Bump TypeScript to 6.0 (#91257)
Primary suspect file
packages/next/src/compiled/sass-loader/cjs.js (file score: 10)
Detection signals
surgical -eval(
2026-04-14 Sebastian "Sebbie" Silbermann View commit ↗
77960701 27.5 casdoor/casdoor
Commit message
feat: add ThirdPartyLink DB table to support infinite third-party providers (#5392)
Primary suspect file
web/src/common/OAuthWidget.js (file score: 7)
Detection signals
sec_file:oauth surgical
2026-04-12 DacongDA View commit ↗
c08694bf 27.5 WWBN/AVideo
Commit message
fix: Prevent eval injection by sanitizing callback and message fields in YPTSocket
Primary suspect file
plugin/YPTSocket/script.js (file score: 10)
Detection signals
surgical -eval(
2026-04-13 Daniel Neto View commit ↗
3e2a1496 27.5 postgres/postgres
Commit message
Rework signal handler infrastructure to pass sender info as argument.
Primary suspect file
src/backend/tcop/postgres.c (file score: 10)
Detection signals
surgical -system(
2026-04-14 Andrew Dunstan View commit ↗
af651a14 27.5 Azure/azure-sdk-for-python
Commit message
[AutoPR azure-mgmt-computelimit]-generated-from-SDK Generation - Python-6087532 (#46017)
Primary suspect file
sdk/computelimit/azure-mgmt-computelimit/azure/mgmt/computelimit/_utils/serialization.py (file score: 10)
Detection signals
surgical -eval(
2026-04-20 Azure SDK Bot View commit ↗
46df77ac 27.5 lobehub/lobe-chat
Commit message
💄 style(tab-bar): blend inactive tabs with titlebar, show close icon by default (#13973)
Primary suspect file
src/features/ChatInput/RuntimeConfig/BranchSwitcher.tsx (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-19 Arvin Xu View commit ↗
13be2961 27.5 angular/angular
Commit message
ci: remove disabled side-effects integration tests
Primary suspect file
integration/side-effects/snapshots/core/esm2022.js (file score: 10)
Detection signals
surgical -function (
2026-04-20 Matthieu Riegler View commit ↗
ae5b765e 27.5 openjdk/jdk
Commit message
8382430: Extend output format of -XX:+PrintCompilation2 diagnostic flag
Primary suspect file
src/hotspot/share/oops/method.cpp (file score: 10)
Detection signals
surgical -strcpy(
2026-04-20 Vladimir Kozlov View commit ↗
5254b88e 27.5 denoland/deno
Commit message
fix(ext/node): http2 improvements — constants, error codes, settings, validation (#33332)
Primary suspect file
tests/node_compat/config.jsonc (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Bartek Iwańczuk View commit ↗
8ba69fcc 27.5 hashicorp/vault
Commit message
Backport VAULT-43691 - Fix SQL injection risk in HANA and Redshift DeleteUser revoke paths into ce/main (#14047)
Primary suspect file
plugins/database/hana/hana.go (file score: 9)
Detection signals
surgical -Sprintf(
2026-04-21 Vault Automation View commit ↗
5254b88e 27.5 denoland/deno
Commit message
fix(ext/node): http2 improvements — constants, error codes, settings, validation (#33332)
Primary suspect file
tests/node_compat/config.jsonc (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Bartek Iwańczuk View commit ↗
d9657937 27.5 php/php-src
Commit message
ext/session: fix missing zval_ptr_dtor for retval in PS_GC_FUNC(user)
Primary suspect file
ext/session/tests/user_session_module/gh_gc_retval_leak.phpt (file score: 10)
Detection signals
sec_file:session[._/] moderate +random_int
2026-04-14 Jorg Sowa View commit ↗
732e2325 27.5 go-gitea/gitea
Commit message
Fix typos (#37346)
Primary suspect file
models/auth/oauth2.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-21 Nicolas View commit ↗
be216b5c 27.5 gravitational/teleport
Commit message
Add support for Azure tenant ID join rules (#65866)
Primary suspect file
api/proto/teleport/scopes/joining/v1/token.proto (file score: 6)
Detection signals
sec_file:token[._/] surgical
2026-04-21 Gavin Frazar View commit ↗
0606b0ad 27.5 dotnet/runtime
Commit message
Use check_function_exists for deprecated OSSL RSA function (#127192)
Primary suspect file
src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-22 Pranav Senthilnathan View commit ↗
bd03ef2e 27.5 hashicorp/vault
Commit message
[UI] Fixes Overlapping Nav Panels Bug (#14175) (#14210)
Primary suspect file
ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js (file score: 8)
Detection signals
sec_file:secrets?[._/] surgical
2026-04-22 Vault Automation View commit ↗
6d5945b8 27.5 Azure/azure-sdk-for-python
Commit message
[WebPubSub] Fix TSP migration deviations for Python SDK (#46175)
Primary suspect file
sdk/webpubsub/azure-messaging-webpubsubservice/azure/messaging/webpubsubservice/_utils/serialization.py (file score: 8)
Detection signals
moderate -eval(
2026-04-22 Shiying Chen View commit ↗
2a366749 27.5 lobehub/lobe-chat
Commit message
✨ feat(git-status): one-click pull/push from branch chip (#14041)
Primary suspect file
apps/desktop/src/main/controllers/GitCtr.ts (file score: 7)
Detection signals
+execFile
2026-04-22 Arvin Xu View commit ↗
f2f88281 26.2 openjdk/jdk
Commit message
8364182: Add jcmd VM.security_properties command
Primary suspect file
src/java.base/share/classes/java/security/Security.java (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-14 Kieran Farrell View commit ↗
a9d0065b 26.2 mongodb/mongo
Commit message
SERVER-123859 Remove `generateTableWrites` flag for index builds (#51627)
Primary suspect file
src/mongo/db/index_builds/index_build_interceptor.cpp (file score: 5)
Detection signals
sec_file:intercept surgical
2026-04-13 Gregory Noma View commit ↗
5aeaf376 26.2 envoyproxy/envoy
Commit message
network filters: add tcp bandwidth limit (#42996)
Primary suspect file
envoy/network/filter.h (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-14 Anton Kanugalawattage View commit ↗
2d6a15ac 26.2 haproxy/haproxy
Commit message
MEDIUM: otel: added HAProxy variable storage for context propagation
Primary suspect file
addons/otel/include/filter.h (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-12 Miroslav Zagorac View commit ↗
d8259263 26.2 gravitational/teleport
Commit message
Update error messages to remove duplicate strings (#65740)
Primary suspect file
lib/auth/join/boundkeypair/boundkeypair.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-14 Steven Martin View commit ↗
ff97ab48 26.2 laravel/framework
Commit message
Change count array comparison to empty array comparison to improve performance (#59688)
Primary suspect file
src/Illuminate/Support/ValidatedInput.php (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-14 Lucas Michot View commit ↗
f1708ab7 26.2 envoyproxy/envoy
Commit message
deps: Bump `boringssl` -> 0.20260413.0 (#44446)
Primary suspect file
compat/openssl/BUILD (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-14 dependency-envoy[bot] View commit ↗
55154659 26.2 elastic/elasticsearch
Commit message
[Transform] Skip HasPrivilege for CPS (#145684)
Primary suspect file
x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransformPrivilegeChecker.java (file score: 7)
Detection signals
sec_file:privilege surgical
2026-04-14 Pat Whelan View commit ↗
24b9654e 26.2 NVIDIA/OpenShell
Commit message
feat(cluster): add remote SSH deployment
Primary suspect file
crates/navigator-cli/src/tls.rs (file score: 9)
Detection signals
sec_file:tls[._/] moderate +sanitize_name
2026-02-10 Drew Newberry View commit ↗
bfca39a9 26.2 wolfSSL/wolfssl
Commit message
src/ssl.c, src/ssl_sess.c, src/x509.c, wolfssl/internal.h: rename wolfssl_get_ex_new_index() to wolfssl_local_get_ex_new_index().
Primary suspect file
src/ssl.c (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-15 Daniel Pouzzner View commit ↗
2db5feea 26.2 pyca/cryptography
Commit message
Revert "Add ML-KEM-512 support (#14670)" (#14671)
Primary suspect file
src/cryptography/hazmat/bindings/_rust/openssl/mlkem.pyi (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-16 Alex Gaynor View commit ↗
d4beb60d 26.2 pyca/cryptography
Commit message
Add ML-KEM-512 support (#14670)
Primary suspect file
src/cryptography/hazmat/bindings/_rust/openssl/mlkem.pyi (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-16 Alex Gaynor View commit ↗
bff564b0 26.2 pyca/cryptography
Commit message
Add ML-KEM-1024 support (#14669)
Primary suspect file
src/cryptography/hazmat/bindings/_rust/openssl/mlkem.pyi (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-16 Alex Gaynor View commit ↗
4fb6ffa0 26.2 pyca/cryptography
Commit message
Add ML-DSA support for BoringSSL (#14647)
Primary suspect file
src/cryptography/hazmat/backends/openssl/backend.py (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-15 Alex Gaynor View commit ↗
9e531001 26.2 grafana/grafana
Commit message
Secrets: Add context to DEK method signatures (#122750)
Primary suspect file
pkg/registry/apis/secret/encryption/manager/manager.go (file score: 7)
Detection signals
sec_file:encrypt surgical
2026-04-15 Michael Mandrus View commit ↗
a3381c66 26.2 Azure/azure-sdk-for-python
Commit message
[agentserver] Spec compliance: error shapes, session headers, isolation, diagnostic logging, startup config logging, Foundry User-Agent (#46364)
Primary suspect file
sdk/agentserver/azure-ai-agentserver-core/azure/ai/agentserver/core/_config.py (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-18 Ravi Pidaparthi View commit ↗
2711aa91 26.2 lobehub/lobe-chat
Commit message
✨ feat(desktop): add dedicated topic popup window with cross-window sync (#13957)
Primary suspect file
apps/desktop/electron.vite.config.ts (file score: 6)
Detection signals
sec_file:config[._/] +path.resolve
2026-04-18 Innei View commit ↗
5dd7cd74 26.2 lobehub/lobe-chat
Commit message
✨ feat: add x ads tracking entry points (#13986)
Primary suspect file
src/routes/share/t/[id]/index.tsx (file score: 6)
Detection signals
surgical +unauthorized
2026-04-20 Tsuki View commit ↗
8240e868 26.2 lobehub/lobe-chat
Commit message
🐛 fix(desktop): repo-type detection for submodule/worktree + chat & sidebar polish (#13978)
Primary suspect file
src/features/ChatInput/RuntimeConfig/WorkingDirectory.tsx (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-19 Arvin Xu View commit ↗
f6cbd02f 26.2 hanami/hanami
Commit message
Update references to hanami-action (#1582)
Primary suspect file
lib/hanami/config.rb (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Sean Collins View commit ↗
1536c823 26.2 openjdk/jdk
Commit message
8379531: Shenandoah: Allow safepoint preemption during allocation of very large arrays
Primary suspect file
src/hotspot/share/gc/shenandoah/shenandoahGeneration.cpp (file score: 9)
Detection signals
surgical -assert(
2026-04-20 Xiaolong Peng View commit ↗
074ed7b6 26.2 rust-lang/rust
Commit message
Rollup merge of #155389 - Zalathar:flag-macros, r=mati865
Primary suspect file
compiler/rustc_session/src/config.rs (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-20 Jonathan Brouwer View commit ↗
38798fce 26.2 elastic/elasticsearch
Commit message
Prepare binary doc values read path for single value enforcement (#146689)
Primary suspect file
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-20 Dmitry Kubikov View commit ↗
36dc67e6 26.2 gravitational/teleport
Commit message
Connect: Clear only stale clients in cache (#65832)
Primary suspect file
lib/teleterm/apiserver/handler/handler_auth.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-20 Grzegorz Zdunek View commit ↗
53f18829 26.2 apache/cassandra
Commit message
Apply changes to gossip state for the local node synchronously, remote peers asynchronously
Primary suspect file
src/java/org/apache/cassandra/config/Config.java (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Sam Tunnicliffe View commit ↗
d7986943 26.2 rust-lang/rust
Commit message
`AliasTermTy` refactor: fixup compiler
Primary suspect file
compiler/rustc_sanitizers/src/cfi/typeid/itanium_cxx_abi/transform.rs (file score: 7)
Detection signals
sec_file:sanitiz surgical
2026-04-07 Waffle Lapkin View commit ↗
2a0c038f 26.2 dotnet/runtime
Commit message
Replace CoreCLR SList with NativeAOT-style design (#126949)
Primary suspect file
src/coreclr/nativeaot/Runtime/threadstore.cpp (file score: 9)
Detection signals
surgical -ASSERT(
2026-04-21 Max Charlamb View commit ↗
40e8fdee 26.2 dotnet/runtime
Commit message
Fix ConfigurationBinder suppressor to only suppress intercepted calls (#126878)
Primary suspect file
src/libraries/Microsoft.Extensions.Configuration.Binder/gen/Specs/InterceptorInfo.cs (file score: 5)
Detection signals
sec_file:intercept surgical
2026-04-21 Petr Onderka View commit ↗
0a0f33b3 26.2 gravitational/teleport
Commit message
unset XAUTHORITY env var for the networking command (#65713)
Primary suspect file
session/envutils/environment.go (file score: 10)
Detection signals
sec_file:session[._/] surgical +strings.HasPrefix
2026-04-22 Andrew LeFevre View commit ↗
b703b7d4 26.2 Azure/azure-sdk-for-python
Commit message
[Cosmos] Fix new pylint errors (#46459)
Primary suspect file
sdk/cosmos/azure-cosmos/azure/cosmos/_cosmos_http_logging_policy.py (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-23 Tomas Varon View commit ↗
354210ba 26.2 FasterXML/jackson-databind
Commit message
Fix (minimal) for #1921: support limited merge for immutable POJOs (#5939)
Primary suspect file
src/main/java/tools/jackson/databind/deser/bean/BeanDeserializer.java (file score: 6)
Detection signals
sec_file:deserializ surgical
2026-04-22 Tatu Saloranta View commit ↗
f57a81a5 25.8 UNCLASSIFIED strapi/strapi
Commit message
fix: bulk publish validation on required components in dz (#25687)
Primary suspect file
packages/core/content-manager/server/src/controllers/collection-types.ts (file score: 9)
Detection signals
moderate +sanitizeOutput +forbidden
2026-04-15 Adrien L View commit ↗
7dbb49e2 25.3 UNCLASSIFIED aws/aws-sdk-js-v3
Commit message
feat(client-securityhub): Provide organizational unit scoping capability for GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, GetResourcesStatisticsV2 APIs.
Primary suspect file
clients/client-securityhub/src/commands/BatchUpdateFindingsV2Command.ts (file score: 3)
Detection signals
surgical
2026-04-13 awstools View commit ↗
d4037f7d 25.0 rust-lang/rust
Commit message
Rollup merge of #153335 - Ozzy1423:removed-features, r=jdonszelmann
Primary suspect file
compiler/rustc_attr_parsing/src/session_diagnostics.rs (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-13 Jonathan Brouwer View commit ↗
0486237e 25.0 openbsd/src
Commit message
Prior to this we substring matched and allowed a leading .
Primary suspect file
lib/libcrypto/x509/x509_internal.h (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-13 beck View commit ↗
890c687f 25.0 googleapis/google-cloud-python
Commit message
tests: remove 'treat warnings as errors' flag for docs (#16627)
Primary suspect file
packages/gapic-generator/tests/integration/goldens/credentials/noxfile.py (file score: 8)
Detection signals
sec_file:credential surgical
2026-04-13 Anthonios Partheniou View commit ↗
e7fa71ef 25.0 apache/cassandra
Commit message
Implement a guardrail for client driver versions
Primary suspect file
src/java/org/apache/cassandra/db/guardrails/ClientDriverVersionGuardrail.java (file score: 6)
Detection signals
large_penalty +sanitizedDriverId +forbidden
2026-03-31 Stefan Miklosovic View commit ↗
7617801a 25.0 gradio-app/gradio
Commit message
improve preview and metadata for community themes (#13211)
Primary suspect file
js/_website/src/routes/themes/gallery/ThemeDetailModal.svelte (file score: 10)
Detection signals
surgical -exec(
2026-04-13 Hannah View commit ↗
761be887 25.0 trufflesecurity/trufflehog
Commit message
Add AnalysisError type and wrap all analyzer error paths (#4779)
Primary suspect file
pkg/analyzer/analyzers/airtable/airtableoauth/airtable.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-15 John Elliott View commit ↗
36329a10 25.0 NVIDIA/OpenShell
Commit message
feat(inference): allow setting custom inference timeout (#672)
Primary suspect file
crates/openshell-cli/src/main.rs (file score: 8)
Detection signals
surgical -no_verify
2026-03-30 Peter Andreas Entschev View commit ↗
83af7a24 25.0 NVIDIA/OpenShell
Commit message
feat(sandbox): inject host gateway hostAliases into sandbox pods (#306)
Primary suspect file
e2e/rust/tests/cf_auth_smoke.rs (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-03-14 Drew Newberry View commit ↗
97bad8b7 25.0 NVIDIA/OpenShell
Commit message
chore: derive build version from git tags for all components (#305)
Primary suspect file
crates/openshell-server/src/auth.rs (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-03-14 John T. Myers View commit ↗
ede23ea7 25.0 NVIDIA/OpenShell
Commit message
fix(server): cleanup server multiplexing, tls
Primary suspect file
crates/navigator-server/src/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-02-04 Drew Newberry View commit ↗
db83ae76 25.0 NVIDIA/OpenShell
Commit message
test: add pre-commit hooks
Primary suspect file
crates/navigator-server/src/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-02-03 Drew Newberry View commit ↗
95cdee91 25.0 keycloak/keycloak
Commit message
Pass and use rememberMe option in passkeys authenticators
Primary suspect file
themes/src/main/resources/theme/base/login/resources/js/webauthnAuthenticate.js (file score: 8)
Detection signals
sec_file:login[._/] surgical
2026-04-15 Ricardo Martin View commit ↗
496796e0 25.0 drupal/drupal
Commit message
task: #3451483 Improve Dynamic Page Cache headers for HTML and JSON 4xx responses
Primary suspect file
core/modules/basic_auth/tests/src/Functional/BasicAuthTest.php (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-15 catch View commit ↗
1c7b9e7e 25.0 directus/directus
Commit message
Fix MSSQL schema application failing for text fields with MAX length … (#26934)
Primary suspect file
api/src/services/fields.ts (file score: 5)
Detection signals
surgical +maxLength
2026-04-15 Saquib Beg View commit ↗
c0210214 25.0 mongodb/mongo
Commit message
Revert "SERVER-121471: Disambiguate user-defined collection schema violations from timeseries schema violations in validate (#51957)" (#52110)
Primary suspect file
jstests/core/timeseries/validate_timeseries_schema_error_message.js (file score: 15)
Detection signals
sec_file:validat -assert( -function (
2026-04-20 auto-revert-app[bot] View commit ↗
47915144 25.0 axios/axios
Commit message
fix: more header pollutions (#10779)
Primary suspect file
lib/core/mergeConfig.js (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Jay View commit ↗
47915144 25.0 axios/axios
Commit message
fix: more header pollutions (#10779)
Primary suspect file
lib/core/mergeConfig.js (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Jay View commit ↗
99c399a2 25.0 logto-io/logto
Commit message
feat(core): normalize signing key lifecycle state (#8655)
Primary suspect file
packages/core/src/libraries/logto-config.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Charles Zhao View commit ↗
c7ccec15 25.0 rust-lang/rust
Commit message
Rollup merge of #155568 - rustbot:docs-update, r=ehuss
Primary suspect file
tests/ui/parser/shebang/issue-71471-ignore-tidy.rs (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-21 Jacob Pratt View commit ↗
69dae594 25.0 rust-lang/rust
Commit message
Update shebang reference rule names
Primary suspect file
tests/ui/parser/shebang/issue-71471-ignore-tidy.rs (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-20 Eric Huss View commit ↗
c06093c1 25.0 elastic/elasticsearch
Commit message
[Inference API] Implement updateServiceSettings() for Custom Service (#146242)
Primary suspect file
x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/response/CompletionResponseParser.java (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-21 Jan-Kazlouski-elastic View commit ↗
528ed976 25.0 denoland/deno
Commit message
fix(ext/node): http client compat improvements (#33337)
Primary suspect file
tests/node_compat/config.jsonc (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Bartek Iwańczuk View commit ↗
f6849222 25.0 mongodb/mongo
Commit message
Revert "SERVER-92859 Enable viewless timeseries feature flag (#51573)" (#52332)
Primary suspect file
jstests/auth/timeseries_upgrade_downgrade_apply_ops.js (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-22 auto-revert-app[bot] View commit ↗
9beda5b3 25.0 mongodb/mongo
Commit message
SERVER-92859 Enable viewless timeseries feature flag (#51573)
Primary suspect file
jstests/auth/timeseries_upgrade_downgrade_apply_ops.js (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-21 Meryama View commit ↗
042ff5d4 25.0 cockroachdb/cockroach
Commit message
sql/schemachanger: support setting SEQUENCE NAME on ALTER TABLE ADD IDENTITY (#168759)
Primary suspect file
pkg/sql/serial.go (file score: 6)
Detection signals
-Sprintf(
2026-04-21 trunk-io[bot] View commit ↗
94b40cab 25.0 cockroachdb/cockroach
Commit message
sql: parse PG18 SEQUENCE NAME identity clause; wire up CREATE TABLE
Primary suspect file
pkg/sql/serial.go (file score: 6)
Detection signals
-Sprintf(
2026-04-21 Rafi Shamim View commit ↗
551870b5 25.0 apache/airflow
Commit message
Update `AwsAuthManager` to support multi-team #65371 (#65393)
Primary suspect file
providers/amazon/src/airflow/providers/amazon/aws/auth_manager/avp/entities.py (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-21 Haseeb Malik View commit ↗
528ed976 25.0 denoland/deno
Commit message
fix(ext/node): http client compat improvements (#33337)
Primary suspect file
tests/node_compat/config.jsonc (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Bartek Iwańczuk View commit ↗
63c56cda 25.0 django/django
Commit message
Fixed #35870 -- Made blank choice label in forms more accessible.
Primary suspect file
django/conf/global_settings.py (file score: 6)
Detection signals
sec_file:settings\.py surgical
2026-01-18 Annabelle Wiegart View commit ↗
89138289 25.0 denoland/deno
Commit message
perf(libs/core): poll only ready handles and yield between I/O batches (#33349)
Primary suspect file
libs/core/runtime/jsruntime.rs (file score: 8)
Detection signals
surgical -unsafe {
2026-04-22 Nathan Whitaker View commit ↗
8af1a129 25.0 grafana/grafana
Commit message
Logs Table: Add Log Details Support (#123038)
Primary suspect file
public/app/plugins/panel/logstable/rows/LogsTableRowActionButtons.tsx (file score: 8)
Detection signals
moderate -function (
2026-04-22 Matias Chomicki View commit ↗
db7eab37 25.0 apache/airflow
Commit message
Remove global variables in airflow.settings (#61917)
Primary suspect file
providers/fab/src/airflow/providers/fab/auth_manager/models/db.py (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-23 Jens Scheffler View commit ↗
88d82cf4 25.0 gravitational/teleport
Commit message
Configure kingpin to allow DCE (#65897)
Primary suspect file
lib/utils/testdata/TestInitCLIParser/command_width_aligned_for_subcommand_help.golden (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-22 rosstimothy View commit ↗
7d9d8d17 25.0 aws/aws-sdk-js-v3
Commit message
fix(client-s3): retry errors with 200 status code (#7945)
Primary suspect file
codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/AddS3Config.java (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-22 George Fu View commit ↗
8a3b7b04 25.0 huggingface/transformers
Commit message
Fix typos (#45574)
Primary suspect file
utils/check_config_attributes.py (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-22 Anton Vlasjuk View commit ↗
d179724f 25.0 anchore/syft
Commit message
fix: improve redhat-release parsing fallback for RHEL clones (#4808)
Primary suspect file
syft/linux/identify_release.go (file score: 6)
Detection signals
surgical +strings.HasPrefix
2026-04-22 Weston Steimel View commit ↗
89138289 25.0 denoland/deno
Commit message
perf(libs/core): poll only ready handles and yield between I/O batches (#33349)
Primary suspect file
libs/core/runtime/jsruntime.rs (file score: 8)
Detection signals
surgical -unsafe {
2026-04-22 Nathan Whitaker View commit ↗
a044b020 24.3 WEAK_CRYPTO psf/requests
Commit message
Move DigestAuth hash algorithms to use usedforsecurity=False (#7310)
Primary suspect file
src/requests/auth.py (file score: 15)
Detection signals
sec_file:auth[._/] surgical -md5 -sha1 swap:\bMD5\b→\bSHA256\b swap:\bSHA1\b→\bSHA256\b
2026-04-15 Nate Prewitt View commit ↗
39c734ee 23.8 quarkusio/quarkus
Commit message
Allows configuring the let's encrypt servers
Primary suspect file
extensions/tls-registry/cli/src/main/java/io/quarkus/tls/cli/letsencrypt/LetsEncryptIssueCommand.java (file score: 7)
Detection signals
sec_file:encrypt surgical
2026-04-12 Clement Escoffier View commit ↗
56824423 23.8 facebook/react
Commit message
[react-native-renderer] EventTarget-based event dispatching (#36253)
Primary suspect file
scripts/rollup/validate/eslintrc.rn.js (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-14 Rubén Norte View commit ↗
d8e9ae7b 23.8 dotnet/runtime
Commit message
[clr-ios] Fix SIGSEGV in open virtual delegate dispatch with interpreter (#126199)
Primary suspect file
src/coreclr/interpreter/compiler.cpp (file score: 3)
Detection signals
surgical
2026-04-14 Milos Kotlar View commit ↗
60815e79 23.8 dotnet/runtime
Commit message
Remove stderr logging in GSSAPI initialization (#126647)
Primary suspect file
src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.IsNtlmInstalled.cs (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-14 Radek Zikmund View commit ↗
3cc859c8 23.8 googleapis/google-cloud-python
Commit message
test: enables assorted tests (#16611)
Primary suspect file
packages/bigframes/bigframes/session/iceberg.py (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-14 Chalmer Lowe View commit ↗
6b5423fe 23.8 astral-sh/ruff
Commit message
[ty] Move `fixes.rs` to `ty_python_semantic` (#24561)
Primary suspect file
crates/ty_project/src/walk.rs (file score: 5)
Detection signals
large_penalty -system(
2026-04-14 Micha Reiser View commit ↗
e0fb1f99 23.8 dotnet/runtime
Commit message
Add AddRegisteredId to SubjectAlternativeNameBuilder
Primary suspect file
src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-15 Kevin Jones View commit ↗
ebe28c12 23.8 cockroachdb/cockroach
Commit message
sql/catalog: add system.advisory_locks (#168157)
Primary suspect file
pkg/sql/catalog/catprivilege/system.go (file score: 7)
Detection signals
sec_file:privilege surgical
2026-04-14 trunk-io[bot] View commit ↗
cc71e3a0 23.8 cockroachdb/cockroach
Commit message
sql/catalog: add system.advisory_locks
Primary suspect file
pkg/sql/catalog/catprivilege/system.go (file score: 7)
Detection signals
sec_file:privilege surgical
2026-04-10 Faizan Qazi View commit ↗
0ea6a8f6 23.8 gravitational/teleport
Commit message
Improve `--help` output for `tsh`, `tctl`, `tbot`, `teleport-update` and `teleport` (#64122)
Primary suspect file
lib/utils/testdata/TestInitCLIParser/command_width_aligned_for_subcommand_help.golden (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-14 Adam Pickering View commit ↗
647b7947 23.8 NVIDIA/OpenShell
Commit message
fix: security hardening from aardvark/codex scanner findings (#352)
Primary suspect file
crates/openshell-sandbox/data/sandbox-policy.rego (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-03-16 John T. Myers View commit ↗
454327d8 23.8 NVIDIA/OpenShell
Commit message
feat(policy): add policy recommendation plumbing (#204) (#222)
Primary suspect file
crates/navigator-server/tests/auth_endpoint_integration.rs (file score: 5)
Detection signals
sec_file:auth[._/]
2026-03-12 John T. Myers View commit ↗
a2de1f24 23.8 NVIDIA/OpenShell
Commit message
feat: add Cloudflare tunnel auth support (#178)
Primary suspect file
crates/navigator-server/tests/multiplex_tls_integration.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-03-10 Drew Newberry View commit ↗
34fd3cbf 23.8 NVIDIA/OpenShell
Commit message
feat(inference): inference interception and routing (!38)
Primary suspect file
crates/navigator-sandbox/src/policy.rs (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-02-23 Piotr Mlocek View commit ↗
c5b0a52e 23.8 mongodb/mongo
Commit message
SERVER-86878 Remove StatusWith from plan_executor_factory::make() (#50226)
Primary suspect file
src/mongo/db/global_catalog/metadata_consistency_validation/metadata_consistency_util.cpp (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-15 Niels Lohmann View commit ↗
7aee753b 23.8 apache/airflow
Commit message
E2E: resilient page objects with toPass pattern and simple spec refactoring (#64666)
Primary suspect file
airflow-core/src/airflow/ui/tests/e2e/specs/task-logs.spec.ts (file score: 7)
Detection signals
-exec(
2026-04-15 Yeonguk Choo View commit ↗
d9022ef4 23.8 wazuh/wazuh
Commit message
Improve unclasified and indexer metrics
Primary suspect file
src/engine/source/builder/src/builders/opfilter/opBuilderHelperFilter.cpp (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-10 Nahuel Figueroa View commit ↗
96de24ee 23.8 timescale/timescaledb
Commit message
Remove some unused declarations
Primary suspect file
tsl/src/bgw_policy/compression_api.h (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-14 Sven Klemm View commit ↗
29bafa7b 23.8 dotnet/runtime
Commit message
Add support for utilizing F16C instructions on xarch (#127094)
Primary suspect file
src/libraries/System.Private.CoreLib/src/System/Half.cs (file score: 7)
Detection signals
sec_file:private[._/] surgical
2026-04-18 Tanner Gooding View commit ↗
24d3461b 23.8 cockroachdb/cockroach
Commit message
conflict: diff the clusters when there is a row mismatch (#166626)
Primary suspect file
pkg/workload/rand/writer.go (file score: 7)
Detection signals
moderate -Sprintf(
2026-04-18 trunk-io[bot] View commit ↗
1aa212f5 23.8 grafana/grafana
Commit message
AccessControl: Re-land SA resource permission action set support (#122996)
Primary suspect file
pkg/services/accesscontrol/resourcepermissions/service.go (file score: 6)
Detection signals
surgical +strings.HasPrefix
2026-04-18 linoman View commit ↗
56b03968 23.8 dotnet/runtime
Commit message
Fix IndexOf upper-bound guard in ImmutableArray/List (#124967)
Primary suspect file
src/libraries/System.Collections.Immutable/src/System/Collections/Immutable/ImmutableArray_1.Builder.cs (file score: 3)
Detection signals
surgical
2026-04-19 prozolic View commit ↗
30be22f3 23.8 go-gitea/gitea
Commit message
Refactor frontend `tw-justify-between` layouts to `flex-left-right` (#37291)
Primary suspect file
templates/repo/issue/filter_actions.tmpl (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-19 Copilot View commit ↗
40e9bf6f 23.8 NVIDIA/OpenShell
Commit message
feat(policy): add incremental sandbox policy updates (#860)
Primary suspect file
crates/openshell-policy/src/lib.rs (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-20 John T. Myers View commit ↗
72095c64 23.8 openiddict/openiddict-core
Commit message
Bump the .NET SDK and packages
Primary suspect file
src/OpenIddict.Validation.AspNetCore/OpenIddict.Validation.AspNetCore.csproj (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-20 Kévin Chalet View commit ↗
61290050 23.8 openbsd/src
Commit message
vi: whitespace fixes
Primary suspect file
usr.bin/vi/ex/ex_filter.c (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-20 tb View commit ↗
6380ec94 23.8 mongodb/mongo
Commit message
SERVER-124879 Add instructions for BUILD files that have resmoke_suite_test targets (#52172)
Primary suspect file
jstests/suites/security/BUILD.bazel (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-20 Sean Lyons View commit ↗
261e788b 23.8 grafana/grafana
Commit message
GrafanaUI: Update react-inlinesvg to 4.3.0 (#122943)
Primary suspect file
public/app/core/components/SVG/SanitizedSVG.tsx (file score: 7)
Detection signals
sec_file:sanitiz surgical
2026-04-21 Josh Hunt View commit ↗
4e0f2cca 23.8 jenkinsci/jenkins
Commit message
Adopt experimental App Bar API for jobs (#26510)
Primary suspect file
webpack.config.js (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Jan Faracik View commit ↗
a1dee688 23.8 openjdk/jdk
Commit message
8382625: G1: Constify G1Policy::need_to_start_conc_mark()
Primary suspect file
src/hotspot/share/gc/g1/g1Policy.cpp (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-21 Thomas Schatzl View commit ↗
346d66c6 23.8 cockroachdb/cockroach
Commit message
tracing: unify SHOW TRACE span start format with Recording.String() (#167682)
Primary suspect file
pkg/sql/exec_util.go (file score: 9)
Detection signals
surgical -Sprintf(
2026-04-21 trunk-io[bot] View commit ↗
b9126376 23.8 elastic/elasticsearch
Commit message
ESQL: TSTEP #4 <add TStep aggregate function> (#144967)
Primary suspect file
x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/session/Configuration.java (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-21 Serge S View commit ↗
d3bc76a6 23.8 gravitational/teleport
Commit message
Avoid a hard crash when WebAssembly is missing (#65771)
Primary suspect file
web/packages/shared/components/DesktopSession/DesktopSession.tsx (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-21 Ryan Clark View commit ↗
b4de72b0 23.8 lobehub/lobe-chat
Commit message
✨ feat(mobile): full settings menu and responsive profile layout (#14019)
Primary suspect file
src/locales/default/auth.ts (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-22 YuTengjing View commit ↗
6f9d5a0f 23.8 nats-io/nats-server
Commit message
(2.14) Scheduling: validation, inflight leak, and target schedule replace (#8055)
Primary suspect file
server/filestore.go (file score: 3)
Detection signals
surgical
2026-04-21 Neil View commit ↗
bd385505 23.8 netdata/netdata
Commit message
ebpf.plugin: fix PID accounting shared-memory pool leak and 100% CPU spin (#22232)
Primary suspect file
src/collectors/collectors-ipc/ebpf-ipc.h (file score: 3)
Detection signals
surgical
2026-04-21 Costa Tsaousis View commit ↗
e201c8a3 23.8 symfony/symfony
Commit message
feature #64009 Improve phpdoc types (stof)
Primary suspect file
src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-22 Jérôme Tamarelle View commit ↗
e1689a85 23.8 symfony/symfony
Commit message
Improve phpdoc types
Primary suspect file
src/Symfony/Component/Security/Core/Authorization/Voter/VoterInterface.php (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-21 Christophe Coevoet View commit ↗
8f3d0b9d 23.8 angular/angular
Commit message
feat(core): introduce @Service decorator
Primary suspect file
packages/core/src/core_render3_private_export.ts (file score: 7)
Detection signals
sec_file:private[._/] surgical
2026-04-14 Kristiyan Kostadinov View commit ↗
5ad7363c 23.8 rust-lang/rust
Commit message
Rollup merge of #154794 - chenyukang:yukang-fix-152494-incomplete-macro-args, r=mejrs
Primary suspect file
compiler/rustc_attr_parsing/src/attributes/diagnostic/on_unmatch_args.rs (file score: 5)
Detection signals
moderate +AllowList
2026-04-22 Jonathan Brouwer View commit ↗
9619cf56 23.8 dotnet/runtime
Commit message
Revert "Handle canonical types in casting logic" (#127301)
Primary suspect file
src/coreclr/nativeaot/System.Private.TypeLoader/src/System.Private.TypeLoader.csproj (file score: 7)
Detection signals
sec_file:private[._/] surgical
2026-04-23 Michal Strehovský View commit ↗
1a5ff6dd 23.8 grafana/grafana
Commit message
fix: force index for shorturl migration query (#123202)
Primary suspect file
pkg/registry/apps/shorturl/migrator/query_shorturls.sql (file score: 3)
Detection signals
surgical
2026-04-22 Mustafa Sencer Özcan View commit ↗
e969a7d2 23.8 FasterXML/jackson-databind
Commit message
Fix #2747: wrong parsing context path As.EXTERNAL_PROPERTY type id (#5936)
Primary suspect file
src/main/java/tools/jackson/databind/jsontype/impl/TypeDeserializerBase.java (file score: 6)
Detection signals
sec_file:deserializ surgical
2026-04-22 Tatu Saloranta View commit ↗
b57eea2a 23.8 langchain-ai/langchain
Commit message
hotfix(ci): remove nobenchmark flag (#36959)
Primary suspect file
libs/partners/anthropic/Makefile (file score: 3)
Detection signals
surgical
2026-04-22 Mason Daugherty View commit ↗
a7caef81 23.2 REDOS grpc/grpc
Commit message
[CI] Increase timeout for various RBE C/C++ sanitizer/dbg/opt tests. (#42113)
Primary suspect file
tools/internal_ci/linux/pull_request/grpc_bazel_rbe_asan.cfg (file score: 3)
Detection signals
surgical
2026-04-14 yuanweiz View commit ↗
25d2530b 23.0 UNCLASSIFIED NVIDIA/OpenShell
Commit message
fix(inference): allowlist routed request headers (#826)
Primary suspect file
crates/openshell-router/src/backend.rs (file score: 3)
Detection signals
large_penalty +sanitize_request_headers
2026-04-15 John T. Myers View commit ↗
651e9fd8 22.8 UNCLASSIFIED haproxy/haproxy
Commit message
MINOR: otel: changed log-record attr to use sample expressions
Primary suspect file
addons/otel/include/parser.h (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-03 Miroslav Zagorac View commit ↗
9f90874e 22.7 UNCLASSIFIED NVIDIA/OpenShell
Commit message
chore: fix clippy warnings
Primary suspect file
crates/navigator-bootstrap/src/metadata.rs (file score: 3)
Detection signals
surgical
2026-02-16 Drew Newberry View commit ↗
6a9f0904 22.7 UNCLASSIFIED dotnet/runtime
Commit message
HTTP/2: Add automatic downgrade to HTTP/1.1 for Windows authentication (#123827)
Primary suspect file
src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectionPool/HttpConnectionPool.Http1.cs (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-18 Copilot View commit ↗
bec74bb4 22.5 aio-libs/aiohttp
Commit message
Use DEFAULT_CHUNK_SIZE global (#12356)
Primary suspect file
aiohttp/helpers.py (file score: 5)
Detection signals
surgical +max size
2026-04-13 Sam Bull View commit ↗
1ab7991b 22.5 quarkusio/quarkus
Commit message
Add specific logging when trust-all is configured or the host name validation is disabled.
Primary suspect file
extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/CertificateRecorder.java (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-04-12 Clement Escoffier View commit ↗
9b762280 22.5 freebsd/freebsd-src
Commit message
inpcb: retire inp_vnet
Primary suspect file
sys/kern/uipc_ktls.c (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-04-14 Gleb Smirnoff View commit ↗
f2629342 22.5 haproxy/haproxy
Commit message
BUILD: ot: removed explicit include path when building opentracing filter
Primary suspect file
addons/ot/src/filter.c (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2023-01-19 Miroslav Zagorac View commit ↗
6f177cd0 22.5 haproxy/haproxy
Commit message
MINOR: otel: added log-record signal support
Primary suspect file
addons/otel/include/conf.h (file score: 5)
Detection signals
moderate +rate_limit
2026-03-07 Miroslav Zagorac View commit ↗
24faa712 22.5 apache/airflow
Commit message
fix(providers/fab): lazily initialize flask_app in FastAPI routes (#64908)
Primary suspect file
providers/fab/src/airflow/providers/fab/auth_manager/api_fastapi/routes/login.py (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-14 Pradeep Kalluri View commit ↗
67892866 22.5 drupal/drupal
Commit message
feat: #3311365 Use PHP attributes for route discovery
Primary suspect file
core/modules/system/src/Controller/Http4xxController.php (file score: 6)
Detection signals
surgical +Unauthorized
2026-04-14 catch View commit ↗
9011bd1f 22.5 Azure/azure-sdk-for-python
Commit message
`Analyze` passes target python version (#46093)
Primary suspect file
eng/tools/azure-sdk-tools/azpysdk/Check.py (file score: 6)
Detection signals
moderate +sanitized
2026-04-14 Scott Beddall View commit ↗
cf7f9d9d 22.5 apache/pulsar
Commit message
[improve][all] Upgraded Jackson to 2.21 LTS and fixed a few gradle assemble warnings (#25504)
Primary suspect file
pulsar-common/src/main/java/org/apache/pulsar/common/util/FieldParser.java (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-13 Abhilash Mandaliya View commit ↗
184f36b1 22.5 WWBN/AVideo
Commit message
fix: Add request validation to prevent untrusted access in comment deletion
Primary suspect file
objects/functionsSecurity.php (file score: 4)
Detection signals
sec_file:security[._/]
2026-04-13 Daniel Neto View commit ↗
ccdd692d 22.5 laravel/framework
Commit message
Use Null and Isset coalescing when possible (#59690)
Primary suspect file
src/Illuminate/Http/Middleware/HandleCors.php (file score: 6)
Detection signals
sec_file:cors[._/] surgical
2026-04-14 Lucas Michot View commit ↗
e102808e 22.5 NVIDIA/OpenShell
Commit message
fix(cli): pass cluster name to ssh-proxy child process for correct TLS path resolution (#52)
Primary suspect file
crates/navigator-cli/src/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-03-02 Drew Newberry View commit ↗
c0547c50 22.5 NVIDIA/OpenShell
Commit message
feat(gator): interactive TUI for Navigator (#57)
Primary suspect file
crates/navigator-cli/src/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-03-02 John T. Myers View commit ↗
c094769a 22.5 NVIDIA/OpenShell
Commit message
feat(server): add an inference router (!13)
Primary suspect file
crates/navigator-cli/src/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-02-12 Piotr Mlocek View commit ↗
3273c5b4 22.5 WWBN/AVideo
Commit message
fix: Add loopback IP validation to enhance security checks in request handling
Primary suspect file
objects/functionsSecurity.php (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-15 Daniel Neto View commit ↗
309d1bd9 22.5 tokio-rs/axum
Commit message
feat: add `#[diagnostic::on_unimplemented]` to `IntoResponse` and `IntoResponseParts` (#3723)
Primary suspect file
axum-macros/tests/debug_handler/fail/single_wrong_return_tuple.stderr (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-15 Dihan Nahdi View commit ↗
7fd35f4c 22.5 curl/curl
Commit message
unittests: cleanups
Primary suspect file
lib/vtls/x509asn1.c (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-04-15 Daniel Stenberg View commit ↗
e32ec474 22.5 golang/go
Commit message
crypto/internal/fips140/drbg: build tag out entropy generation on Wasm
Primary suspect file
src/crypto/internal/fips140/drbg/entropy_wasm.go (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-03-23 Cherry Mui View commit ↗
e32ec474 22.5 golang/go
Commit message
crypto/internal/fips140/drbg: build tag out entropy generation on Wasm
Primary suspect file
src/crypto/internal/fips140/drbg/entropy_wasm.go (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-03-23 Cherry Mui View commit ↗
de486877 22.5 envoyproxy/envoy
Commit message
HTTP: add overload action to close idle HTTP connections (#43612)
Primary suspect file
envoy/network/connection_handler.h (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-16 Ting Pan View commit ↗
fdcf9b2c 22.5 elastic/elasticsearch
Commit message
[Inference API] Refactor Contextual AI integration and fix multiple issues (#145700)
Primary suspect file
x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/contextualai/ContextualAiResponseHandler.java (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-15 Jan-Kazlouski-elastic View commit ↗
3273c5b4 22.5 WWBN/AVideo
Commit message
fix: Add loopback IP validation to enhance security checks in request handling
Primary suspect file
objects/functionsSecurity.php (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-15 Daniel Neto View commit ↗
53f6e919 22.5 aio-libs/aiohttp
Commit message
Optimise decompression size (#12357)
Primary suspect file
aiohttp/http_parser.py (file score: 8)
Detection signals
sec_file:parser[._/] surgical +max_length +maxsize
2026-04-18 Sam Bull View commit ↗
c5f6afc3 22.5 rust-lang/rust
Commit message
Remove target arguments & features from `parse_limited`
Primary suspect file
compiler/rustc_expand/src/config.rs (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-18 Jonathan Brouwer View commit ↗
23c3aae6 22.5 grafana/grafana
Commit message
Perf: use date-fns deep imports instead of barrel (#122919)
Primary suspect file
eslint.config.js (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Hugo Häggmark View commit ↗
f6960096 22.5 go-gitea/gitea
Commit message
Enable strict TypeScript, add `errorMessage` helper (#37292)
Primary suspect file
web_src/js/features/admin/config.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 silverwind View commit ↗
22062deb 22.5 openvpn/openvpn
Commit message
Remove various redundant conditionals
Primary suspect file
src/openvpn/ssl_verify.c (file score: 6)
Detection signals
sec_file:ssl[._/] surgical
2026-04-19 Frank Lichtenheld View commit ↗
4f8e85e1 22.5 logto-io/logto
Commit message
feat(core): add OSS onboarding survey reporting (#8666)
Primary suspect file
packages/console/vite.config.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Darcy Ye View commit ↗
3ca43dc5 22.5 rust-lang/rust
Commit message
Rollup merge of #154654 - bushrat011899:core_io_error_kind, r=Mark-Simulacrum
Primary suspect file
library/std/src/io/error/repr_bitpacked.rs (file score: 6)
Detection signals
-transmute
2026-04-20 Jonathan Brouwer View commit ↗
fe2b39f0 22.5 rust-lang/rust
Commit message
Move `std::io::ErrorKind` to `core::io`
Primary suspect file
library/std/src/io/error/repr_bitpacked.rs (file score: 6)
Detection signals
-transmute
2026-04-14 Zac Harrold View commit ↗
03622f2b 22.5 mongodb/mongo
Commit message
SERVER-124377 Remove $in list length limit for CBR (#52094)
Primary suspect file
jstests/noPassthroughWithMongod/query/cbr/cbr_fallback.js (file score: 6)
Detection signals
-assert(
2026-04-20 natalie-hill View commit ↗
171b3e3a 22.5 hashicorp/consul
Commit message
UI - Use HDS AppFrame (#23450)
Primary suspect file
ui/packages/consul-ui/app/templates/dc/routing-config.hbs (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Rishabh Gupta View commit ↗
4c5defc4 22.5 grafana/grafana
Commit message
Alerting: Allow restricting contact point integration types (#118858)
Primary suspect file
pkg/registry/apps/alerting/notifications/integrationtypeschema/handler.go (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-20 Chris Chang View commit ↗
1eb813d1 22.5 elastic/elasticsearch
Commit message
PromQL: Add year() scalar function (#146004)
Primary suspect file
x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/session/Configuration.java (file score: 5)
Detection signals
sec_file:session[._/] moderate
2026-04-20 Serge S View commit ↗
8e237178 22.5 aquasecurity/trivy
Commit message
chore(deps): replace xeipuuv/gojsonschema and invopop/jsonschema with google/jsonschema-go (#10528)
Primary suspect file
magefiles/config_schema.go (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Nikita Pivkin View commit ↗
ead8d4b5 22.5 protocolbuffers/protobuf
Commit message
Internal change
Primary suspect file
src/google/protobuf/compiler/cpp/parse_function_generator.cc (file score: 6)
Detection signals
-StrCat(
2026-04-20 Protobuf Team Bot View commit ↗
970d0399 22.5 marimo-team/marimo
Commit message
Drop dangling @file URLs from the session cache (#9278)
Primary suspect file
marimo/_server/export/_session_cache.py (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-20 Trevor Manz View commit ↗
bd113957 22.5 NVIDIA/OpenShell
Commit message
feat(server): serve health endpoints on separate unauthenticated port (#903)
Primary suspect file
crates/openshell-core/src/config.rs (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Seth Jennings View commit ↗
8de4b600 22.5 vercel/next.js
Commit message
Make `'use cache'` fill timeout configurable (#93070)
Primary suspect file
packages/next/src/server/config.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-21 Hendrik Liebau View commit ↗
4195fc4e 22.5 php/php-src
Commit message
ext/phar: no longer assign to variables in if conditions
Primary suspect file
ext/phar/phar.c (file score: 6)
Detection signals
moderate +realpath
2026-04-21 Gina Peter Banyard View commit ↗
a2bb9855 22.5 dotnet/runtime
Commit message
Implement SafeProcessHandle.WaitForExit* methods (#127022)
Primary suspect file
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/ProcessWaitState.Unix.cs (file score: 6)
Detection signals
-Assert(
2026-04-22 Copilot View commit ↗
d3041723 22.5 mongodb/mongo
Commit message
SERVER-124174 Replace FLE2 prefix/suffix preview types with GA types in jstests and unit tests (#52170)
Primary suspect file
src/mongo/crypto/fle_stats.h (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-21 Erwin Pe View commit ↗
5b976ba6 22.5 mongodb/mongo
Commit message
SERVER-123928 Forbid creation of mismatched timeseries collections based on featureFlagCreateViewlessTimeseriesCollections (#51947)
Primary suspect file
jstests/auth/timeseries_upgrade_downgrade_apply_ops.js (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-21 Tommaso Tocci View commit ↗
1cc6f542 22.5 apache/airflow
Commit message
Make Mypy plugins installable (#61422)
Primary suspect file
dev/breeze/src/airflow_breeze/commands/release_management_commands_config.py (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-22 Hussein Awala View commit ↗
e1c5af76 22.5 googleapis/google-cloud-python
Commit message
fix: replace deprecated `utcfromtimestamp` in google-auth-oauthlib (#16732)
Primary suspect file
packages/gcp-sphinx-docfx-yaml/tests/testdata/auth/google_auth_oauthlib/helpers.py (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-21 Chalmer Lowe View commit ↗
192ccc52 22.5 googleapis/google-cloud-python
Commit message
feat: enable mypy session for ndb (#16691)
Primary suspect file
packages/google-cloud-ndb/google/cloud/ndb/global_cache.py (file score: 6)
Detection signals
surgical -sha1
2026-04-21 Chalmer Lowe View commit ↗
61224fe7 22.5 lobehub/lobe-chat
Commit message
🐛 fix(auth): return 401 for expired OIDC JWT instead of 500 (#14014)
Primary suspect file
src/app/(backend)/middleware/auth/index.ts (file score: 9)
Detection signals
sec_file:auth[._/] moderate +UNAUTHORIZED
2026-04-21 YuTengjing View commit ↗
4483c860 22.5 NVIDIA/OpenShell
Commit message
feat(server,driver-vm,e2e): gateway-owned readiness + VM compute driver e2e (#901)
Primary suspect file
crates/openshell-server/src/supervisor_session.rs (file score: 5)
Detection signals
sec_file:session[._/] moderate
2026-04-22 Drew Newberry View commit ↗
bb030b4a 22.5 mongodb/mongo
Commit message
SERVER-123781 Exclude IFR flags from multiversion tests (#51808)
Primary suspect file
buildscripts/resmokelib/config.py (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-22 Finley Lau View commit ↗
fee2a76a 22.5 hashicorp/vault
Commit message
SECVULN-41437: Require sudo for mounts auth tune (#13738) (#14044)
Primary suspect file
vault/router.go (file score: 4)
Detection signals
moderate +strings.HasPrefix
2026-04-22 Vault Automation View commit ↗
b832f0a9 22.5 grafana/grafana
Commit message
Alerting: Export external Alertmanager sender metrics with data source UIDs (#121996)
Primary suspect file
pkg/services/ngalert/sender/sender.go (file score: 7)
Detection signals
moderate -Sprintf(
2026-04-22 Santiago View commit ↗
e8371673 22.5 apache/spark
Commit message
[SPARK-56410][SQL][CORE] Add bounded k-way merge support in UnsafeExternalSorter to reduce OOM risk
Primary suspect file
core/src/main/scala/org/apache/spark/internal/config/package.scala (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-22 Tengfei Huang View commit ↗
7187177f 22.5 huggingface/transformers
Commit message
[`Privacy Filter`] Add model (#45580)
Primary suspect file
utils/check_config_attributes.py (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-22 Anton Vlasjuk View commit ↗
73222a68 21.9 UNCLASSIFIED grafana/grafana
Commit message
Datasources: Allow editing data source title (#122053)
Primary suspect file
public/app/core/components/Page/PageHeader.tsx (file score: 4)
Detection signals
sec_file:header[._/] surgical
2026-04-15 Matt Cowley View commit ↗
decbc4ce 21.3 PRIVILEGE_ESCALATION→ROLE lobehub/lobe-chat
Commit message
♻️ refactor: alias buffer package as buffer.js for cleaner imports (#14081)
Primary suspect file
packages/model-runtime/src/core/contextBuilders/openai.ts (file score: 3)
Detection signals
surgical
2026-04-23 Innei View commit ↗
890ab757 21.2 fastify/fastify
Commit message
feat: add request.mediaType (#6653)
Primary suspect file
lib/validation.js (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-14 KaKa View commit ↗
f479323d 21.2 quarkusio/quarkus
Commit message
Move TransactionalContextPool and TransactionalContextConnection to reactive-transactions
Primary suspect file
extensions/reactive-transactions/runtime/src/main/java/io/quarkus/reactive/transaction/runtime/TransactionalInterceptorBase.java (file score: 5)
Detection signals
sec_file:intercept surgical
2026-04-08 Yoann Rodière View commit ↗
98ed4984 21.2 openssl/openssl
Commit message
apps : enforce command-line parameter checking.
Primary suspect file
apps/include/opt.h (file score: 3)
Detection signals
surgical
2026-03-26 F. R. Da Silva View commit ↗
98ed4984 21.2 openssl/openssl
Commit message
apps : enforce command-line parameter checking.
Primary suspect file
apps/include/opt.h (file score: 3)
Detection signals
surgical
2026-03-26 F. R. Da Silva View commit ↗
f56461da 21.2 logto-io/logto
Commit message
fix(phrases): clarify account center enablement copy (#8645)
Primary suspect file
packages/phrases/src/locales/ar/translation/admin-console/sign-in-exp/index.ts (file score: 3)
Detection signals
surgical
2026-04-14 wangsijie View commit ↗
8cbc38f9 21.2 logto-io/logto
Commit message
fix(phrases): update account center description to reflect current scope (#8636)
Primary suspect file
packages/phrases/src/locales/ar/translation/admin-console/sign-in-exp/index.ts (file score: 3)
Detection signals
surgical
2026-04-14 wangsijie View commit ↗
92034008 21.2 logto-io/logto
Commit message
fix(account): show error page when no verification methods are available (#8639)
Primary suspect file
packages/account/src/components/VerificationMethodList/index.tsx (file score: 3)
Detection signals
surgical
2026-04-14 wangsijie View commit ↗
84b0f49e 21.2 logto-io/logto
Commit message
fix(phrases): shorten disable 2-step verification button text (#8650)
Primary suspect file
packages/phrases-experience/src/locales/ar/account-center.ts (file score: 3)
Detection signals
surgical
2026-04-13 wangsijie View commit ↗
08dad097 21.2 php/php-src
Commit message
Fix GH-8561, GH-8562, GH-8563, GH-8564: SplFileObject iterator desync (#21679)
Primary suspect file
ext/spl/tests/SplFileObject/SplFileObject_key_error001.phpt (file score: 3)
Detection signals
surgical
2026-04-13 Ilia Alshanetsky View commit ↗
791a3dce 21.2 rust-lang/rust
Commit message
Revert "Fix cycles during delayed lowering"
Primary suspect file
compiler/rustc_ast_lowering/src/delegation.rs (file score: 3)
Detection signals
surgical
2026-04-13 aerooneqq View commit ↗
ebf02b36 21.2 dotnet/runtime
Commit message
Add ConfigurationIgnoreAttribute (#126396)
Primary suspect file
src/libraries/Microsoft.Extensions.Configuration.Binder/gen/ConfigurationBindingGenerator.Parser.cs (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-14 Jaroslav Ruzicka View commit ↗
19d0c6e4 21.2 dotnet/runtime
Commit message
Fix DefaultCOMImpl reference counting bugs in DAC (#125231)
Primary suspect file
eng/Versions.props (file score: 3)
Detection signals
surgical
2026-04-14 Max Charlamb View commit ↗
ccd7c264 21.2 openbsd/src
Commit message
drm/amd/display: Fix DCE LVDS handling
Primary suspect file
sys/dev/pci/drm/amd/display/dc/resource/dce100/dce100_resource.c (file score: 3)
Detection signals
surgical
2026-04-12 jsg View commit ↗
ef9620e1 21.2 mongodb/mongo
Commit message
SERVER-123841 Add multikeyness info to all join tests (#51578)
Primary suspect file
jstests/noPassthroughWithMongod/query/join/additional_filter.js (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-14 Alya Carina Berciu View commit ↗
48d0b77f 21.2 mongodb/mongo
Commit message
SERVER-123839 Move joinTestWrapper and pass in db (#51708)
Primary suspect file
jstests/noPassthroughWithMongod/query/join/additional_filter.js (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-14 Alya Carina Berciu View commit ↗
6f3a3df7 21.2 mongodb/mongo
Commit message
SERVER-123701 Remove special-casing for Timestamp::min() in KVDropPendingIdentReaper (#51458)
Primary suspect file
src/mongo/db/index_builds/index_build_interceptor.h (file score: 5)
Detection signals
sec_file:intercept surgical
2026-04-13 Thomas Goyne View commit ↗
04c91f63 21.2 mongodb/mongo
Commit message
Import wiredtiger: a7b1a5a9928a803d2dbbf0b253e3dc63bda692b5 from branch mongodb-master (#51661)
Primary suspect file
src/third_party/wiredtiger/src/session/session_api.c (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-13 Ivan Kochin View commit ↗
c9f905eb 21.2 cockroachdb/cockroach
Commit message
sql/schemachanger: add support for dropping enum values (#165821)
Primary suspect file
pkg/sql/schemachanger/scop/validation.go (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-14 trunk-io[bot] View commit ↗
e81328e2 21.2 containers/podman
Commit message
Remove Slirp network mode constant and error on usage
Primary suspect file
pkg/specgen/pod_validate.go (file score: 5)
Detection signals
sec_file:validat surgical
2025-12-25 Lokesh Mandvekar View commit ↗
bf05a014 21.2 haproxy/haproxy
Commit message
MINOR: otel: added metrics instrument support
Primary suspect file
addons/otel/include/conf.h (file score: 5)
Detection signals
moderate +rate_limit
2026-03-02 Miroslav Zagorac View commit ↗
eaa05d2a 21.2 haproxy/haproxy
Commit message
MINOR: otel: added span link support
Primary suspect file
addons/otel/include/parser.h (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-02-26 Miroslav Zagorac View commit ↗
2d56399b 21.2 haproxy/haproxy
Commit message
MEDIUM: otel: added configuration parser and event model
Primary suspect file
addons/otel/include/filter.h (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-12 Miroslav Zagorac View commit ↗
60adf304 21.2 grafana/grafana
Commit message
Alerting: Add named routing tree support to k8s rules API (#122382)
Primary suspect file
apps/alerting/rules/pkg/app/alertrule/validator.go (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-13 Khalil Haji View commit ↗
9c391292 21.2 grafana/grafana
Commit message
Zanzana: merge legacy and Zanzana permissions in searchUsersPermissions (#121258)
Primary suspect file
packages/grafana-data/src/types/featureToggles.gen.ts (file score: 3)
Detection signals
surgical
2026-04-13 Georges Chaudy View commit ↗
699eb41e 21.2 go-gitea/gitea
Commit message
Add test for "fetch redirect", add CSS value validation for external render (#37207)
Primary suspect file
routers/common/redirect.go (file score: 5)
Detection signals
sec_file:redirect surgical
2026-04-14 wxiaoguang View commit ↗
3b280789 21.2 gravitational/teleport
Commit message
Register ValidatedMFAChallenge resource to cache. Add generic watcher for leaf cluster replication. (#65437)
Primary suspect file
lib/authz/permissions.go (file score: 3)
Detection signals
surgical
2026-04-13 Chris Thach View commit ↗
62b09c02 21.2 drupal/drupal
Commit message
task: #3562645 Fix return types and baselined errors of core/tests/ Build|FunctionalJavascript|Functional code - round 4
Primary suspect file
core/modules/block/tests/src/Functional/BlockWeightUpdateTest.php (file score: 3)
Detection signals
surgical
2026-04-13 Andrei Mateescu View commit ↗
473f5e49 21.2 drupal/drupal
Commit message
task: #3581407 Remove unused properties from unit tests
Primary suspect file
core/modules/field/tests/src/Unit/FieldUninstallValidatorTest.php (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-13 catch View commit ↗
5afcef5d 21.2 payloadcms/payload
Commit message
fix(ui): thread cache tag to list view thumbnails (#11741)
Primary suspect file
packages/ui/src/elements/EditUpload/index.tsx (file score: 5)
Detection signals
sec_file:upload[._/] surgical
2026-04-13 Said Akhrarov View commit ↗
636a3b77 21.2 lobehub/lobe-chat
Commit message
🐛 fix: message gateway queue error (#13816)
Primary suspect file
.env.example (file score: 3)
Detection signals
surgical
2026-04-14 Rdmclin2 View commit ↗
b857ae6c 21.2 lobehub/lobe-chat
Commit message
🐛 fix(desktop): use Electron net.fetch for remote server requests (#13400)
Primary suspect file
apps/desktop/src/main/controllers/AuthCtr.ts (file score: 3)
Detection signals
surgical
2026-04-13 Adam Bellinson View commit ↗
5e3af512 21.2 huggingface/transformers
Commit message
Fix ty for transformers cli (#45190)
Primary suspect file
src/transformers/cli/add_new_model_like.py (file score: 3)
Detection signals
surgical
2026-04-14 Marc Sun View commit ↗
27fbb514 21.2 huggingface/transformers
Commit message
fix: prevent accelerate from splitting vision encoder by setting _no_… (#43047)
Primary suspect file
src/transformers/models/pe_audio/modeling_pe_audio.py (file score: 3)
Detection signals
surgical
2026-04-14 Srijan Upadhyay View commit ↗
fd63aa22 21.2 huggingface/transformers
Commit message
Fix Qwen2.5VL temporal grid positions (#45400)
Primary suspect file
src/transformers/models/ernie4_5_vl_moe/modeling_ernie4_5_vl_moe.py (file score: 3)
Detection signals
surgical
2026-04-14 Raushan Turganbay View commit ↗
d2941693 21.2 huggingface/transformers
Commit message
Fix MoE routers returning probabilities instead of logits (#45131)
Primary suspect file
src/transformers/models/flex_olmo/modeling_flex_olmo.py (file score: 3)
Detection signals
surgical
2026-04-13 mebarkiyacine View commit ↗
ec29ce4c 21.2 ollama/ollama
Commit message
gemma4: fix compiler error on metal (#15550)
Primary suspect file
llama/patches/0027-interleave-multi-rope.patch (file score: 3)
Detection signals
surgical
2026-04-13 Daniel Hiltgen View commit ↗
ee561515 21.2 WWBN/AVideo
Commit message
fix: Add request validation to prevent untrusted access in category and plugin scripts
Primary suspect file
objects/categoryAddNew.json.php (file score: 3)
Detection signals
surgical
2026-04-13 Daniel Neto View commit ↗
caf07ffb 21.2 timescale/timescaledb
Commit message
Add metadata to ranges catalog table (#9553)
Primary suspect file
tsl/src/bgw_policy/job.c (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-10 Keyur Panchal View commit ↗
dc4df9c7 21.2 astral-sh/ruff
Commit message
[ty] Fix `TypeGuard` and `TypeIs` narrowing for unbound method calls (#24612)
Primary suspect file
crates/ty_python_semantic/src/types/infer/builder/post_inference/typeguard.rs (file score: 5)
Detection signals
sec_file:guard[._/] surgical
2026-04-13 Charlie Marsh View commit ↗
9a2150b2 21.2 rust-lang/cargo
Commit message
fix: Always take a shared lock on `.cargo-lock`
Primary suspect file
src/cargo/core/compiler/layout.rs (file score: 3)
Detection signals
surgical
2026-04-14 Ross Sullivan View commit ↗
b0942d3f 21.2 rust-lang/cargo
Commit message
fix(toml): Teach users how to pin edition (#16851)
Primary suspect file
src/cargo/util/toml/mod.rs (file score: 3)
Detection signals
surgical
2026-04-14 Weihang Lo View commit ↗
273393c1 21.2 rust-lang/cargo
Commit message
fix: Prefer defined lint levels over default (#16879)
Primary suspect file
src/cargo/lints/rules/blanket_hint_mostly_unused.rs (file score: 3)
Detection signals
surgical
2026-04-14 Ed Page View commit ↗
20dd0c84 21.2 rust-lang/cargo
Commit message
refactor(lints): Rename LintLevelReason to LintLevelSource
Primary suspect file
src/cargo/lints/rules/blanket_hint_mostly_unused.rs (file score: 3)
Detection signals
surgical
2026-03-19 Scott Schafer View commit ↗
973b12b5 21.2 mongodb/mongo
Commit message
SERVER-123562 Remove recordIdsReplicated field from the listCollections output when PersistenceProvider requires recordIdsReplicated. (#51529)
Primary suspect file
jstests/libs/catalog_list_operations_consistency_validator.js (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-14 Ernesto Rodriguez Reina View commit ↗
3a152589 21.2 WWBN/AVideo
Commit message
fix: Enhance Authorize.Net plugin with transaction ID handling and processing locks
Primary suspect file
plugin/AuthorizeNet/Objects/Anet_pending_payment.php (file score: 3)
Detection signals
surgical
2026-04-14 Daniel Neto View commit ↗
141394ae 21.2 netdata/netdata
Commit message
Remove VLA (variable-length arrays) (claim and daemon) (#22114)
Primary suspect file
src/daemon/dyncfg/dyncfg-intercept.c (file score: 5)
Detection signals
sec_file:intercept surgical
2026-04-14 thiagoftsm View commit ↗
60035c6a 21.2 NVIDIA/OpenShell
Commit message
refactor(server): extract kubernetes compute driver (#817)
Primary suspect file
crates/openshell-server/src/grpc/policy.rs (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-14 Drew Newberry View commit ↗
18fb7af4 21.2 NVIDIA/OpenShell
Commit message
perf(docker): move version ARG below cached layers to fix cache invalidation (#385)
Primary suspect file
deploy/docker/Dockerfile.cli-macos (file score: 3)
Detection signals
surgical
2026-03-17 Piotr Mlocek View commit ↗
d3e1b31d 21.2 NVIDIA/OpenShell
Commit message
feat(sandbox): log connection attempts that bypass proxy path (#326)
Primary suspect file
.gitignore (file score: 3)
Detection signals
surgical
2026-03-16 John T. Myers View commit ↗
19c32302 21.2 NVIDIA/OpenShell
Commit message
feat(ci): add automated release workflow with patch version bumping (#284)
Primary suspect file
crates/openshell-bootstrap/src/docker.rs (file score: 3)
Detection signals
surgical
2026-03-14 Drew Newberry View commit ↗
20c32716 21.2 NVIDIA/OpenShell
Commit message
fix(bootstrap): detect missing sandbox supervisor binary during gateway health check (#281)
Primary suspect file
crates/openshell-bootstrap/src/constants.rs (file score: 3)
Detection signals
surgical
2026-03-13 Drew Newberry View commit ↗
99bba802 21.2 NVIDIA/OpenShell
Commit message
feat(sandbox): support policy discovery and restrictive defaults on sandbox containers (#84)
Primary suspect file
crates/navigator-bootstrap/src/kubeconfig.rs (file score: 3)
Detection signals
surgical
2026-03-05 Drew Newberry View commit ↗
a17959f7 21.2 NVIDIA/OpenShell
Commit message
fix(sandbox): eliminate SSH transport race causing flaky E2E tests (#69)
Primary suspect file
crates/navigator-server/src/grpc.rs (file score: 3)
Detection signals
surgical
2026-03-03 Drew Newberry View commit ↗
757217f4 21.2 NVIDIA/OpenShell
Commit message
feat(sandbox): support live policy updates, history, and policy-aware logs (!55)
Primary suspect file
crates/navigator-cli/tests/mtls_integration.rs (file score: 4)
Detection signals
sec_file:tls[._/] moderate
2026-02-26 John Myers View commit ↗
6dc97171 21.2 NVIDIA/OpenShell
Commit message
feat(sandbox): add image build/push and fix cluster deploy (!34)
Primary suspect file
crates/navigator-bootstrap/src/lib.rs (file score: 3)
Detection signals
surgical
2026-02-23 Drew Newberry View commit ↗
d2f3ca71 21.2 NVIDIA/OpenShell
Commit message
feat(sandbox): add callable python exec API and refresh e2e coverage (!19)
Primary suspect file
crates/navigator-cli/tests/mtls_integration.rs (file score: 4)
Detection signals
sec_file:tls[._/] moderate
2026-02-13 Drew Newberry View commit ↗
00f432de 21.2 NVIDIA/OpenShell
Commit message
feat: add mtls support to plaform
Primary suspect file
crates/navigator-cli/src/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] large_penalty +sanitize_name
2026-02-06 Drew Newberry View commit ↗
39314d4d 21.2 dotnet/runtime
Commit message
Make UCO MethodDesc globals DAC-accessible (#126927)
Primary suspect file
src/coreclr/vm/eepolicy.cpp (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-15 Adeel Mujahid View commit ↗
7442fa78 21.2 mongodb/mongo
Commit message
SERVER-123334 Integrate latest size/count into Collection API (#51746)
Primary suspect file
src/mongo/db/validate/validate_adaptor.cpp (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-15 Cedric Sirianni View commit ↗
c07b170c 21.2 mongodb/mongo
Commit message
SERVER-121320 Combine featureFlagExtensionViewsAndUnionWith with featureFlagExtensionsInsideHybridSearch (#51436)
Primary suspect file
jstests/extensions/view_pipeline_validator_extension.js (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-15 Finley Lau View commit ↗
1049fdc8 21.2 grafana/grafana
Commit message
Preferences: Improve list behavior (fix orphaned teams) (#122639)
Primary suspect file
pkg/registry/apis/preferences/legacy/preferences.go (file score: 3)
Detection signals
surgical
2026-04-15 Ryan McKinley View commit ↗
cf7fb1f2 21.2 elastic/elasticsearch
Commit message
Extend `SecondaryAuthentication` to capture and restore transient headers (#146310)
Primary suspect file
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityContext.java (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-15 Slobodan Adamović View commit ↗
5601a0d2 21.2 elastic/elasticsearch
Commit message
Reindex Relocation: Prevent source task override task result (#145947)
Primary suspect file
modules/reindex/src/main/java/org/elasticsearch/reindex/Reindexer.java (file score: 3)
Detection signals
surgical
2026-04-15 Sam Xiao View commit ↗
5e6fc578 21.2 falcosecurity/falco
Commit message
fix(userspace): add portable compat wrappers for gmtime_r, localtime_r, strerror_r
Primary suspect file
userspace/engine/formats.cpp (file score: 3)
Detection signals
surgical
2026-04-09 Leonardo Grasso View commit ↗
310def12 21.2 Azure/azure-sdk-for-python
Commit message
[agentserver-responses] Harden response model, type safety, and builder API (#46302)
Primary suspect file
sdk/agentserver/azure-ai-agentserver-responses/azure/ai/agentserver/responses/__init__.py (file score: 3)
Detection signals
surgical
2026-04-15 Ankit Sinha View commit ↗
e3d11321 21.2 Azure/azure-cli
Commit message
[Storage] `az storage blob/container/share/file/queue/fs generate-sas`: Add `--user-delegation-tid` to support cross tenant user delegated sas (#33187)
Primary suspect file
src/azure-cli/azure/cli/command_modules/storage/_validators.py (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-16 Zhiyi Huang View commit ↗
adb78953 21.2 Azure/azure-cli
Commit message
[Containerapp] `az containerapp create`: Support other cloud for acr (#33160)
Primary suspect file
src/azure-cli/azure/cli/command_modules/containerapp/_validators.py (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-15 Greedygre View commit ↗
9a7d8eb3 21.2 FasterXML/jackson-databind
Commit message
Fix #5911: aliases w/ unwrapped (#5913)
Primary suspect file
src/main/java/tools/jackson/databind/deser/bean/BeanDeserializerBase.java (file score: 6)
Detection signals
sec_file:deserializ surgical
2026-04-15 Tatu Saloranta View commit ↗
bc7b798d 21.2 lobehub/lobe-chat
Commit message
🐛 fix(conversation): improve workflow display when user intervention is pending (#13847)
Primary suspect file
packages/builtin-tool-activator/src/client/Inspector/ActivateTools/index.tsx (file score: 3)
Detection signals
surgical
2026-04-15 Innei View commit ↗
23ee16ad 21.2 timescale/timescaledb
Commit message
Remove unused function
Primary suspect file
tsl/src/continuous_aggs/invalidation_threshold.h (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-15 Sven Klemm View commit ↗
ee9088ee 21.2 astral-sh/ruff
Commit message
[ty] Add `--fix` mode (#24097)
Primary suspect file
crates/ruff_db/src/diagnostic/mod.rs (file score: 3)
Detection signals
surgical
2026-04-15 Micha Reiser View commit ↗
b33fee51 21.2 php/php-src
Commit message
ext/phar: refactor phar_entry_info.link field (#21790)
Primary suspect file
ext/phar/func_interceptors.c (file score: 5)
Detection signals
sec_file:intercept surgical
2026-04-18 Gina Peter Banyard View commit ↗
ace3aa31 21.2 rust-lang/rust
Commit message
Make region equality emits Eq constraints
Primary suspect file
compiler/rustc_borrowck/src/diagnostics/bound_region_errors.rs (file score: 3)
Detection signals
surgical
2026-04-14 Shoyu Vanilla View commit ↗
4b71a600 21.2 denoland/deno
Commit message
fix(ext/napi): implement real V8 handle scopes and callback scopes (#33281)
Primary suspect file
ext/napi/node_api.rs (file score: 6)
Detection signals
moderate -unsafe {
2026-04-18 Bartek Iwańczuk View commit ↗
af31b9d4 21.2 go-gitea/gitea
Commit message
Refactor LDAP tests (#37274)
Primary suspect file
services/forms/auth_form.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-18 wxiaoguang View commit ↗
c213483a 21.2 lobehub/lobe-chat
Commit message
feat(workflow): tri-state completion status icon for WorkflowCollapse (#13952)
Primary suspect file
src/libs/oidc-provider/jwt.ts (file score: 7)
Detection signals
sec_file:jwt[._/] surgical
2026-04-18 Innei View commit ↗
5dc94cbc 21.2 lobehub/lobe-chat
Commit message
✨ feat(cc-agent): improve for CC integration mode (#13950)
Primary suspect file
src/routes/(main)/agent/features/Conversation/Header/index.tsx (file score: 4)
Detection signals
sec_file:header[._/] surgical
2026-04-18 Arvin Xu View commit ↗
4b71a600 21.2 denoland/deno
Commit message
fix(ext/napi): implement real V8 handle scopes and callback scopes (#33281)
Primary suspect file
ext/napi/node_api.rs (file score: 6)
Detection signals
moderate -unsafe {
2026-04-18 Bartek Iwańczuk View commit ↗
aefe07e4 21.2 casdoor/casdoor
Commit message
feat: fix bug that there's no cert field in Alipay OAuth provider
Primary suspect file
web/src/provider/OAuthProviderFields.js (file score: 5)
Detection signals
sec_file:oauth moderate
2026-04-20 Yang Luo View commit ↗
01b07e0a 21.2 casdoor/casdoor
Commit message
fix: add IsValidSamlRedirectURL
Primary suspect file
controllers/auth.go (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-04-19 Yang Luo View commit ↗
fad43236 21.2 php/php-src
Commit message
Replace google.com with example.com in URI test fixtures (#21807)
Primary suspect file
ext/uri/tests/008.phpt (file score: 3)
Detection signals
surgical
2026-04-19 Jordi Kroon View commit ↗
a90202d2 21.2 apache/airflow
Commit message
Fix ti.start_date showing deferral-resume time instead of original start time (#63247)
Primary suspect file
airflow-core/src/airflow/api_fastapi/execution_api/datamodels/taskinstance.py (file score: 3)
Detection signals
surgical
2026-04-19 Henry Chen View commit ↗
e2311dfd 21.2 harttle/liquidjs
Commit message
fix: nested block for layout (#883)
Primary suspect file
.all-contributorsrc (file score: 3)
Detection signals
surgical
2026-04-19 Yang Jun View commit ↗
02136565 21.2 lobehub/lobe-chat
Commit message
🐛 fix: message gateway (#13979)
Primary suspect file
src/app/(backend)/api/agent/gateway/callback/route.ts (file score: 3)
Detection signals
surgical
2026-04-19 Rdmclin2 View commit ↗
e94abcb8 21.2 strapi/strapi
Commit message
test(e2e): fixes for race conditions and file resets (#26019)
Primary suspect file
tests/app-template/.gitignore (file score: 3)
Detection signals
surgical
2026-04-20 Ben Irvin View commit ↗
f7bd3213 21.2 nuxt/nuxt
Commit message
fix(schema,rspack,webpack): respect configured `test` option (#34827)
Primary suspect file
packages/schema/src/config/build.ts (file score: 6)
Detection signals
sec_file:config[._/] surgical
2026-04-20 Daniel Roe View commit ↗
93b2c789 21.2 google/boringssl
Commit message
Fix typos
Primary suspect file
pki/crl.cc (file score: 3)
Detection signals
surgical
2026-04-19 Amir Sarabadani View commit ↗
1cf71251 21.2 keycloak/keycloak
Commit message
fix: ensures that owner references are updated after an upgrade (#48213)
Primary suspect file
operator/src/main/java/org/keycloak/operator/Constants.java (file score: 3)
Detection signals
surgical
2026-04-20 Steven Hawkins View commit ↗
6b376d0a 21.2 casdoor/casdoor
Commit message
feat: add OpenClaw transcript storage and viewer (#5420)
Primary suspect file
object/openclaw_session_graph.go (file score: 5)
Detection signals
sec_file:session[._/] moderate
2026-04-20 Paperlz View commit ↗
404010e8 21.2 mongodb/mongo
Commit message
SERVER-124432: protect top/down close for some stages in sbe (#52064)
Primary suspect file
src/mongo/db/exec/sbe/stages/agg_project.cpp (file score: 3)
Detection signals
surgical
2026-04-20 nicola cabiddu View commit ↗
d4facf4b 21.2 mongodb/mongo
Commit message
SERVER-120633 Fix samplingCE mode behavior when index is dropped during sampling query yield (#50909)
Primary suspect file
src/mongo/db/query/compiler/ce/sampling/sampling_estimator_impl.cpp (file score: 3)
Detection signals
surgical
2026-04-20 Militsa Sotirova View commit ↗
1eb6ffde 21.2 mongodb/mongo
Commit message
SERVER-122001 Implement apply_pipeline_suffix_dependencies API (#51543)
Primary suspect file
src/mongo/db/extension/host/aggregation_stage/tests/BUILD.bazel (file score: 3)
Detection signals
surgical
2026-04-20 Daniel Segel View commit ↗
f1b359e0 21.2 gravitational/teleport
Commit message
add AppMetadata to AuthAttempt (#65594)
Primary suspect file
lib/web/app/session.go (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-20 STeve (Xin) Huang View commit ↗
f70978fb 21.2 aws/aws-sdk-js-v3
Commit message
feat(client-observabilityadmin): Enablement for Security Hub v2 via Observability Admin Telemetry Rule for account and organization level.
Primary suspect file
clients/client-observabilityadmin/src/commands/CreateTelemetryRuleCommand.ts (file score: 3)
Detection signals
surgical
2026-04-20 awstools View commit ↗
444f15ce 21.2 aws/aws-sdk-js-v3
Commit message
feat(client-location): This release adds support for new Job APIs for bulk workloads. The initial job type supported is Address Validation. The new APIs added are StartJob, CancelJob, ListJobs, and Ge
Primary suspect file
clients/client-location/src/LocationClient.ts (file score: 3)
Detection signals
surgical
2026-04-20 awstools View commit ↗
8e4076d8 21.2 protocolbuffers/protobuf
Commit message
Add UPB_NODISCARD in many places, prioritizing ones that use the return value to indicate an error
Primary suspect file
upb/io/string.h (file score: 5)
Detection signals
moderate -des
2026-04-20 Protobuf Team Bot View commit ↗
b4aa51ba 21.2 lobehub/lobe-chat
Commit message
🐛 fix: hetero-agent ToolSearch content + bot IM reply + titlebar polish (#13998)
Primary suspect file
packages/heterogeneous-agents/src/adapters/claudeCode.ts (file score: 3)
Detection signals
surgical
2026-04-20 Arvin Xu View commit ↗
90c0319b 21.2 open-telemetry/opentelemetry-python
Commit message
opentelemetry-sdk: fix typing issues for metrics instruments (#5082)
Primary suspect file
opentelemetry-sdk/src/opentelemetry/sdk/metrics/_internal/_view_instrument_match.py (file score: 3)
Detection signals
surgical
2026-04-20 Riccardo Magliocchetti View commit ↗
f6f5753d 21.2 marimo-team/marimo
Commit message
fix: hold references to asyncio tasks (#9261)
Primary suspect file
marimo/_server/api/middleware.py (file score: 5)
Detection signals
sec_file:middleware[._/] surgical
2026-04-20 Akshay Agrawal View commit ↗
9bd9c496 21.2 google/boringssl
Commit message
Add a value barrier to EVP_sha256_final_with_secret_suffix too
Primary suspect file
crypto/cipher/tls_cbc.cc (file score: 15)
Detection signals
sec_file:crypto[._/] surgical +constant_time
2026-04-20 David Benjamin View commit ↗
02fc33b6 21.2 rust-lang/rust
Commit message
Rollup merge of #155572 - mejrs:move_target_checks, r=JonathanBrouwer,GuillaumeGomez
Primary suspect file
compiler/rustc_attr_parsing/src/attributes/diagnostic/do_not_recommend.rs (file score: 5)
Detection signals
moderate +AllowList
2026-04-21 Jacob Pratt View commit ↗
545e7dc0 21.2 rust-lang/rust
Commit message
Rollup merge of #151194 - chenyukang:yukang-fix-150701-async-closure, r=wesleywiser
Primary suspect file
tests/ui/async-await/async-closures/suggest-async-block-issue-140265.stderr (file score: 3)
Detection signals
surgical
2026-04-21 Jacob Pratt View commit ↗
e8b6c973 21.2 rust-lang/rust
Commit message
fix `ty::UnevaluatedConst<I>>`->`AliasTerm<I>` conversion
Primary suspect file
compiler/rustc_infer/src/infer/relate/generalize.rs (file score: 3)
Detection signals
surgical
2026-04-16 Waffle Lapkin View commit ↗
3462280e 21.2 dotnet/runtime
Commit message
Fix trimability in a couple more test projects (#127223)
Primary suspect file
src/libraries/System.Diagnostics.EventLog/tests/EventLogMessagesTests.cs (file score: 3)
Detection signals
surgical
2026-04-22 Michal Strehovský View commit ↗
f1ce5ce8 21.2 dotnet/runtime
Commit message
JIT: Remove `doesMethodHavePartialCompilationPatchpoints` (#127219)
Primary suspect file
src/coreclr/jit/block.cpp (file score: 3)
Detection signals
surgical
2026-04-21 Jakob Botsch Nielsen View commit ↗
b110ebc3 21.2 cockroachdb/cockroach
Commit message
backup: stub out backup revlog entry point (#168774)
Primary suspect file
pkg/sql/parser/sql.y (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-21 trunk-io[bot] View commit ↗
b7a3649c 21.2 cockroachdb/cockroach
Commit message
backup: stub out backup revlog entry point
Primary suspect file
pkg/sql/parser/sql.y (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-21 David Taylor View commit ↗
1024ffd5 21.2 hashicorp/vault
Commit message
UI: Fix Namespace url and content on page synchronization with pagination (#14095) (#14140)
Primary suspect file
ui/app/components/page/namespaces.hbs (file score: 3)
Detection signals
surgical
2026-04-21 Vault Automation View commit ↗
44b0c28f 21.2 grafana/grafana
Commit message
Datsources: add metrics to verify traffic on new /apis/ endpoints (#121441)
Primary suspect file
pkg/registry/apis/datasource/register.go (file score: 3)
Detection signals
surgical
2026-04-21 Tim Mulqueen View commit ↗
403bcf50 21.2 googleapis/google-cloud-python
Commit message
chore(nox): chore update noxfile with format session that uses ruff (#16647)
Primary suspect file
packages/google-auth/noxfile.py (file score: 6)
Detection signals
sec_file:auth[._/] moderate
2026-04-21 Chalmer Lowe View commit ↗
6ddef952 21.2 lobehub/lobe-chat
Commit message
chore: fix follow-up chat input state during message queueing (#14020)
Primary suspect file
src/features/ChatInput/Desktop/index.tsx (file score: 3)
Detection signals
surgical
2026-04-21 AmAzing- View commit ↗
cb0adddc 21.2 huggingface/transformers
Commit message
fix(DSV3): parity between native `DeepseekV3MoE` and remote official implementation (#45441)
Primary suspect file
src/transformers/models/deepseek_v3/modeling_deepseek_v3.py (file score: 3)
Detection signals
surgical
2026-04-22 casinca View commit ↗
f048e845 21.2 huggingface/transformers
Commit message
[modular] Fix modular logic broken in #45045 (#45539)
Primary suspect file
src/transformers/models/conditional_detr/image_processing_pil_conditional_detr.py (file score: 3)
Detection signals
surgical
2026-04-22 Cyril Vallez View commit ↗
52f1096f 21.2 ggerganov/llama.cpp
Commit message
openvino: driver setup, CI split, thread safety, and NPU optimizations (#21944)
Primary suspect file
ggml/src/ggml-openvino/openvino/translate_session.cpp (file score: 5)
Detection signals
sec_file:session[._/] moderate
2026-04-21 Zijun Yu View commit ↗
8c825020 21.2 open-telemetry/opentelemetry-python
Commit message
Misc fixes towards opentelemetry-sdk being type checked (#5105)
Primary suspect file
opentelemetry-sdk/src/opentelemetry/sdk/metrics/_internal/_view_instrument_match.py (file score: 3)
Detection signals
surgical
2026-04-21 Riccardo Magliocchetti View commit ↗
fa2a3de6 21.2 django/django
Commit message
Fixed #10919 -- Added delete_confirmation_max_display to ModelAdmin.
Primary suspect file
django/contrib/admin/actions.py (file score: 3)
Detection signals
surgical
2026-04-22 Rodrigo Vieira View commit ↗
6226a460 21.2 google/boringssl
Commit message
rust: bssl-tls: Safe abstraction of a partially filled buffer
Primary suspect file
rust/bssl-tls/src/ffi.rs (file score: 11)
Detection signals
sec_file:tls[._/] large_penalty +sanitize_slice +MaybeUninit
2026-04-21 Xiangfei Ding View commit ↗
84319588 21.2 logto-io/logto
Commit message
fix(console): resolve sidebar visual issues and onboarding submit crash (#8705)
Primary suspect file
packages/console/src/containers/ConsoleContent/Sidebar/index.module.scss (file score: 3)
Detection signals
surgical
2026-04-23 Darcy Ye View commit ↗
65297e2d 21.2 logto-io/logto
Commit message
feat(console): add optional project name to OSS onboarding (#8684)
Primary suspect file
packages/console/src/pages/OssOnboarding/index.tsx (file score: 5)
Detection signals
surgical +maxLength
2026-04-22 Darcy Ye View commit ↗
b6179605 21.2 logto-io/logto
Commit message
fix(console): make OSS company onboarding fields optional (#8682)
Primary suspect file
packages/console/src/pages/OssOnboarding/index.tsx (file score: 3)
Detection signals
surgical
2026-04-22 Darcy Ye View commit ↗
8d75f0cb 21.2 rust-lang/rust
Commit message
add on_unmatch_args
Primary suspect file
compiler/rustc_attr_parsing/src/attributes/diagnostic/on_unmatch_args.rs (file score: 5)
Detection signals
moderate +AllowList
2026-04-19 yukang View commit ↗
3e57726f 21.2 mongodb/mongo
Commit message
SERVER-123845 Path arrayness API doesn't track a base collection that is also a secondary collection (#52267)
Primary suspect file
src/mongo/db/query/stage_builder/sbe/gen_filter.h (file score: 5)
Detection signals
sec_file:filter[._/] surgical
2026-04-22 Evan Bergeron View commit ↗
7c716274 21.2 typeorm/typeorm
Commit message
chore(deps): bump dependencies and fix lint offenses (#12401)
Primary suspect file
packages/codemod/src/transforms/v1/connection-to-datasource.ts (file score: 3)
Detection signals
surgical
2026-04-22 Piotr Kuczynski View commit ↗
86b7f5d8 21.2 grafana/grafana
Commit message
Alerting: Restrict email contact point recipients to org members (#123173)
Primary suspect file
conf/defaults.ini (file score: 3)
Detection signals
surgical
2026-04-22 Yuri Tseretyan View commit ↗
aad5174a 21.2 grafana/grafana
Commit message
Provisioning: Use full sync instead of incremental if diff size exceeds a certain amount (#123127)
Primary suspect file
apps/provisioning/pkg/repository/github/webhook.go (file score: 5)
Detection signals
sec_file:webhook[._/] surgical
2026-04-22 Daniele Stefano Ferru View commit ↗
13a47185 21.2 grafana/grafana
Commit message
IAM: Fixes, improvements to IAM APIs (#123062)
Primary suspect file
pkg/registry/apis/iam/authorizer/external_group_mapping.go (file score: 3)
Detection signals
surgical
2026-04-22 Misi View commit ↗
7caa5f0e 21.2 apache/spark
Commit message
[SPARK-31561][SQL] Add QUALIFY Clause
Primary suspect file
sql/api/src/main/antlr4/org/apache/spark/sql/catalyst/parser/SqlBaseLexer.g4 (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-22 Liang-Chi Hsieh View commit ↗
502de2e8 21.2 drupal/drupal
Commit message
fix: #3045509 EntityFieldManager key/value field map gets out of sync, doesn't recognise bundle fields
Primary suspect file
core/modules/content_translation/tests/src/Functional/ContentTranslationSettingsTest.php (file score: 3)
Detection signals
surgical
2026-04-22 Andrei Mateescu View commit ↗
dccabe3a 21.2 Azure/azure-sdk-for-python
Commit message
[AgentServer] Platform headers, persistence resilience, x-request-id, logging fix (#46429)
Primary suspect file
sdk/agentserver/azure-ai-agentserver-core/azure/ai/agentserver/core/__init__.py (file score: 3)
Detection signals
surgical
2026-04-22 Ravi Pidaparthi View commit ↗
17834d41 21.2 lobehub/lobe-chat
Commit message
🐛 fix(route-log): record image/video generation triggers (#14048)
Primary suspect file
packages/model-runtime/src/core/BaseAI.ts (file score: 3)
Detection signals
surgical
2026-04-22 YuTengjing View commit ↗
993f3f29 21.2 lobehub/lobe-chat
Commit message
🐛 fix: slack webhook error (#14052)
Primary suspect file
src/routes/(main)/agent/channel/detail/Body.tsx (file score: 3)
Detection signals
surgical
2026-04-22 Rdmclin2 View commit ↗
2644bb84 20.7 UNCLASSIFIED go-gitea/gitea
Commit message
Remove htmx (#37224)
Primary suspect file
eslint.config.ts (file score: 3)
Detection signals
surgical
2026-04-15 wxiaoguang View commit ↗
274c5d42 20.6 DOS→AMPLIFICATION falcosecurity/falco
Commit message
build: drop WIN32 exclusion from http_output, webserver, and metrics gates
Primary suspect file
userspace/engine/falco_utils.cpp (file score: 3)
Detection signals
surgical
2026-03-19 Leonardo Grasso View commit ↗
bad4300f 20.4 UNCLASSIFIED Azure/azure-sdk-for-python
Commit message
[AutoPR azure-mgmt-storagemover]-generated-from-SDK Generation - Python-6110792 (#46138)
Primary suspect file
sdk/storagemover/azure-mgmt-storagemover/azure/mgmt/storagemover/_client.py (file score: 3)
Detection signals
surgical
2026-04-20 Azure SDK Bot View commit ↗
c1bc8e75 20.0 laravel/framework
Commit message
Update facade docblocks
Primary suspect file
src/Illuminate/Support/Facades/Session.php (file score: 7)
Detection signals
sec_file:session[._/] surgical
2026-04-13 taylorotwell View commit ↗
e7bdf743 20.0 symfony/symfony
Commit message
Fix merge
Primary suspect file
src/Symfony/Component/Templating/Loader/CacheLoader.php (file score: 7)
Detection signals
-eval(
2026-04-13 Nicolas Grekas View commit ↗
1888c44e 20.0 cockroachdb/cockroach
Commit message
ui: migrate sql statement details graphs to d3 (#166293)
Primary suspect file
pkg/ui/workspaces/cluster-ui/src/graphs/bargraph/plugins.ts (file score: 4)
Detection signals
large_penalty -innerHTML =
2026-04-14 trunk-io[bot] View commit ↗
7c66bb54 20.0 haproxy/haproxy
Commit message
MINOR: otel: changed instrument attr to use sample expressions
Primary suspect file
addons/otel/src/parser.c (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-06 Miroslav Zagorac View commit ↗
cd14abf9 20.0 haproxy/haproxy
Commit message
MEDIUM: otel: added OpenTelemetry filter skeleton
Primary suspect file
addons/otel/include/parser.h (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-13 Miroslav Zagorac View commit ↗
258337f8 20.0 grafana/grafana
Commit message
Preferences: Fix patch support (#122541)
Primary suspect file
pkg/registry/apis/preferences/legacy/preferences.go (file score: 3)
Detection signals
surgical
2026-04-14 Ryan McKinley View commit ↗
fb02153b 20.0 drupal/drupal
Commit message
task: #3584406 Refactor core/tests code via Rector
Primary suspect file
core/tests/Drupal/Tests/TestTools/ErrorHandler/DrupalDebugClassLoaderTest.php (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-14 Andrei Mateescu View commit ↗
6e1a1663 20.0 googleapis/google-cloud-python
Commit message
feat: initial scaffolding for the `google-cloud-spanner-dbapi-driver` package (#16121)
Primary suspect file
packages/google-cloud-spanner-dbapi-driver/setup.py (file score: 4)
Detection signals
+os.path.abspath
2026-04-14 Sanjeev Bhatt View commit ↗
fd0d8469 20.0 lobehub/lobe-chat
Commit message
✨ feat: support layout custom sort and fix copy (#13812)
Primary suspect file
src/hooks/useNavLayout.ts (file score: 3)
Detection signals
surgical
2026-04-14 Rdmclin2 View commit ↗
49da27c3 20.0 rust-lang/rust
Commit message
Rollup merge of #154049 - petrochenkov:deleglobspan, r=jackh726
Primary suspect file
compiler/rustc_parse/src/parser/item.rs (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-14 Jonathan Brouwer View commit ↗
7114404a 20.0 rust-lang/rust
Commit message
ast: Preserve the star symbol span in glob delegation items
Primary suspect file
compiler/rustc_parse/src/parser/item.rs (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-03-18 Vadim Petrochenkov View commit ↗
86f14242 20.0 elastic/elasticsearch
Commit message
Add collapsed flag to TimeSeriesAggregate pipeline (#146048)
Primary suspect file
x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/parser/LogicalPlanBuilder.java (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-15 Felix Barnsteiner View commit ↗
17f62bfe 20.0 go-gitea/gitea
Commit message
Refactor "htmx" to "fetch action" (#37208)
Primary suspect file
templates/org/header.tmpl (file score: 4)
Detection signals
sec_file:header[._/] surgical
2026-04-14 wxiaoguang View commit ↗
ac4fc31a 20.0 payloadcms/payload
Commit message
feat(plugin-mcp): allow external plugins to extend mcp plugin (#16245)
Primary suspect file
packages/plugin-mcp/src/mcp/getMcpHandler.ts (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-14 Alessio Gravili View commit ↗
5565a8bb 20.0 NVIDIA/OpenShell
Commit message
fix(cli): suppress browser popup during auth via OPENSHELL_NO_BROWSER env var (#419)
Primary suspect file
e2e/rust/tests/cf_auth_smoke.rs (file score: 8)
Detection signals
sec_file:auth[._/] surgical
2026-03-18 Drew Newberry View commit ↗
f869182d 20.0 NVIDIA/OpenShell
Commit message
feat(sandbox): move inference execution to sandbox-local routing (!79) (!52)
Primary suspect file
crates/navigator-sandbox/src/proxy.rs (file score: 6)
Detection signals
large_penalty +sanitize_inference_response_headers +Unauthorized
2026-02-25 Piotr Mlocek View commit ↗
e34444ad 20.0 NVIDIA/OpenShell
Commit message
feat(sandbox): add ssh connect to sandbox + build agent harness
Primary suspect file
crates/navigator-server/tests/multiplex_tls_integration.rs (file score: 4)
Detection signals
sec_file:tls[._/] moderate
2026-02-05 Drew Newberry View commit ↗
388145c5 20.0 golang/go
Commit message
compress/flate: improve compression speed
Primary suspect file
src/compress/flate/load_store.go (file score: 4)
Detection signals
moderate +bounds check
2026-04-15 Klaus Post View commit ↗
388145c5 20.0 golang/go
Commit message
compress/flate: improve compression speed
Primary suspect file
src/compress/flate/load_store.go (file score: 4)
Detection signals
moderate +bounds check
2026-04-15 Klaus Post View commit ↗
439410f6 20.0 rust-lang/rust
Commit message
Rollup merge of #155311 - cyrgani:expand-clean, r=Kivooeo,petrochenkov
Primary suspect file
compiler/rustc_expand/src/mbe/macro_parser.rs (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-15 Jonathan Brouwer View commit ↗
e07a1aa4 20.0 containerd/containerd
Commit message
Add configuration for socket directory to the shim manager
Primary suspect file
core/runtime/v2/shim_manager.go (file score: 6)
Detection signals
moderate +filepath.Clean
2026-01-14 Derek McGowan View commit ↗
77d062d2 20.0 grafana/grafana
Commit message
Dashboard: Simplify / unify handling of open sidebar pane (#122003)
Primary suspect file
public/app/features/dashboard-scene/edit-pane/EditPaneHeader.tsx (file score: 4)
Detection signals
sec_file:header[._/] surgical
2026-04-15 Torkel Ödegaard View commit ↗
dd81642d 20.0 lobehub/lobe-chat
Commit message
♻️ refactor: extract agent-stream into `@lobechat/agent-gateway-client` package (#13866)
Primary suspect file
src/store/chat/slices/aiChat/actions/gatewayEventHandler.ts (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-16 Arvin Xu View commit ↗
7d601dc2 20.0 langchain-ai/langchain
Commit message
chore(core): harden private SSRF utilities (#36768)
Primary suspect file
libs/core/langchain_core/_security/_exceptions.py (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-15 ccurme View commit ↗
9262aa8d 20.0 rabbitmq/rabbitmq-server
Commit message
Fix issue relative to download to verify_none
Primary suspect file
deps/oauth2_client/Makefile (file score: 7)
Detection signals
sec_file:oauth surgical
2026-04-15 Marcial Rosales View commit ↗
1d2d092b 20.0 dotnet/runtime
Commit message
Change cDAC contract versioning from integer to string identifiers (#127020)
Primary suspect file
src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader/ContractDescriptorParser.cs (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-18 Max Charlamb View commit ↗
568389d4 20.0 lobehub/lobe-chat
Commit message
♻️ refactor(web-onboarding): rename doc tools and drive incremental persona writes (#13933)
Primary suspect file
packages/builtin-agents/src/agents/web-onboarding/systemRole.ts (file score: 4)
Detection signals
moderate +forbidden
2026-04-18 Innei View commit ↗
8ba2d256 20.0 typeorm/typeorm
Commit message
feat(codemod): rename ConnectionOptionsReader.all() to get() and flag path semantics change (#12362)
Primary suspect file
packages/codemod/src/transforms/v1/connection-to-datasource.ts (file score: 4)
Detection signals
large_penalty -require(.
2026-04-19 Piotr Kuczynski View commit ↗
0eb238e4 20.0 Azure/azure-sdk-for-python
Commit message
fix(agentserver-responses): stream provider fallback for non-stream-capable providers (#46393)
Primary suspect file
sdk/agentserver/azure-ai-agentserver-responses/azure/ai/agentserver/responses/hosting/_routing.py (file score: 3)
Detection signals
surgical
2026-04-19 Ravi Pidaparthi View commit ↗
6ca5fc4b 20.0 lobehub/lobe-chat
Commit message
✨ feat(hetero-agent): Claude Code runtime, cwd, and sidebar polish (#13970)
Primary suspect file
src/features/ChatInput/RuntimeConfig/WorkingDirectory.tsx (file score: 4)
Detection signals
sec_file:config[._/] moderate
2026-04-19 Arvin Xu View commit ↗
770eccca 20.0 logto-io/logto
Commit message
feat(core): support tenant signing key rotation bootstrap (#8669)
Primary suspect file
packages/core/src/libraries/logto-config.ts (file score: 4)
Detection signals
sec_file:config[._/] moderate
2026-04-21 Charles Zhao View commit ↗
44ae2bc5 20.0 apache/airflow
Commit message
Feature/cursor pagination task instances UI (#64953)
Primary suspect file
airflow-core/src/airflow/ui/src/utils/useFiltersHandler.ts (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-20 Pierre Jeambrun View commit ↗
beef8f14 20.0 openiddict/openiddict-core
Commit message
Reference the Microsoft.AspNetCore.DataProtection package instead of the Microsoft.AspNetCore.App framework on .NET 8.0/9.0/10.0
Primary suspect file
src/OpenIddict.Validation.DataProtection/OpenIddict.Validation.DataProtection.csproj (file score: 5)
Detection signals
sec_file:validat surgical
2026-04-21 Kévin Chalet View commit ↗
16de94ea 20.0 freebsd/freebsd-src
Commit message
audit: Fix logging of IPv6 addresses
Primary suspect file
sys/security/audit/audit_bsm.c (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-20 Andrew Gallatin View commit ↗
bf15cf97 20.0 grafana/grafana
Commit message
InfluxDB: Decouple backend (#119167)
Primary suspect file
pkg/tsdb/influxdb/models/model_parser.go (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-21 Nathan Vērzemnieks View commit ↗
b02b7272 20.0 lobehub/lobe-chat
Commit message
✨ feat(heterogeneous-agent): support CC subagent rendering (#14001)
Primary suspect file
src/features/Portal/Thread/Chat/useThreadActionsBarConfig.ts (file score: 4)
Detection signals
sec_file:config[._/] moderate
2026-04-21 Arvin Xu View commit ↗
ce99f247 20.0 ollama/ollama
Commit message
mlxrunner: tokenize prompts in request handler goroutines
Primary suspect file
x/mlxrunner/pipeline.go (file score: 7)
Detection signals
moderate -Sprintf(
2026-04-03 Jesse Gross View commit ↗
04f5f0cd 20.0 ollama/ollama
Commit message
mlx: improve thread safety of array management
Primary suspect file
x/mlxrunner/mlx/array.go (file score: 7)
Detection signals
moderate -Sprintf(
2026-04-03 Jesse Gross View commit ↗
7100e8d4 20.0 curl/curl
Commit message
vtls: log when key logging is enabled.
Primary suspect file
lib/vtls/keylog.h (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2025-12-02 Yedaya Katsman View commit ↗
7954718d 20.0 google/boringssl
Commit message
Check for PMULL in gcm_sha3_capable
Primary suspect file
crypto/fipsmodule/aes/gcm.cc.inc (file score: 8)
Detection signals
sec_file:crypto[._/] surgical
2026-04-22 David Benjamin View commit ↗
acb1bd71 20.0 nodejs/node
Commit message
deps: V8: cherry-pick fcf8b990c73c
Primary suspect file
deps/v8/src/trap-handler/handler-shared.cc (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2025-12-11 Abdirahim Musse View commit ↗
c0287667 20.0 nodejs/node
Commit message
Revert "deps: V8: cherry-pick 7107287"
Primary suspect file
deps/v8/src/trap-handler/handler-shared.cc (file score: 4)
Detection signals
sec_file:handler[._/] surgical
2026-04-22 Richard Lau View commit ↗
21b9a502 20.0 openjdk/jdk
Commit message
8370102: Print method signatures in edge cases when using TraceBytecodes
Primary suspect file
src/hotspot/share/interpreter/bytecodeTracer.cpp (file score: 4)
Detection signals
large_penalty -assert(
2026-04-22 Paul Hübner View commit ↗
038da9e3 20.0 dotnet/runtime
Commit message
fix import of SPN with Kerberos realm (#126279)
Primary suspect file
src/libraries/System.Net.Security/tests/EnterpriseTests/System.Net.Security.Enterprise.Tests.csproj (file score: 7)
Detection signals
sec_file:security[._/] surgical
2026-04-22 Tomas Weinfurt View commit ↗
d14f69a3 20.0 postgres/postgres
Commit message
Harmonize function parameter names for Postgres 19.
Primary suspect file
src/backend/parser/gram.y (file score: 4)
Detection signals
sec_file:parser[._/] surgical
2026-04-22 Peter Geoghegan View commit ↗
844bb90d 20.0 postgres/postgres
Commit message
Prevent buffer overrun in spell.c's CheckAffix().
Primary suspect file
src/backend/tsearch/spell.c (file score: 14)
Detection signals
moderate -strcpy( -strcat(
2026-04-22 Tom Lane View commit ↗
1cce4969 20.0 hashicorp/vault
Commit message
[UI] Playwright Client Counts Workflows (#13994) (#14016)
Primary suspect file
ui/app/services/api.ts (file score: 4)
Detection signals
moderate +Forbidden
2026-04-22 Vault Automation View commit ↗
4695110d 20.0 go-gitea/gitea
Commit message
Update `Block a user` form (#37359)
Primary suspect file
routers/web/shared/user/header.go (file score: 4)
Detection signals
sec_file:header[._/] surgical
2026-04-22 PineBale View commit ↗
af644402 20.0 protocolbuffers/protobuf
Commit message
Internal change
Primary suspect file
src/google/protobuf/arena_allocation_policy.cc (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-04-22 Protobuf Team Bot View commit ↗
9b03fafe 20.0 grpc/grpc
Commit message
Mirror CMake dependencies along with Bazel dependencies (#42172)
Primary suspect file
cmake/download_archive.cmake (file score: 10)
Detection signals
surgical -function(
2026-04-22 Michael Lumish View commit ↗
ed633036 20.0 lobehub/lobe-chat
Commit message
🐛 fix(conversation): pin user message to viewport top & fold long user messages (#14056)
Primary suspect file
vite.config.ts (file score: 4)
Detection signals
sec_file:config[._/] moderate
2026-04-22 Innei View commit ↗
09581293 18.8 NVIDIA/OpenShell
Commit message
feat(ci): add release-vm-dev pipeline and install-vm.sh installer (#788)
Primary suspect file
crates/openshell-vm/pins.env (file score: 3)
Detection signals
surgical
2026-04-09 Drew Newberry View commit ↗
b7779bde 18.8 NVIDIA/OpenShell
Commit message
feat(sandbox): integrate OCSF structured logging for sandbox events (#720)
Primary suspect file
crates/openshell-core/src/settings.rs (file score: 3)
Detection signals
surgical
2026-04-07 John T. Myers View commit ↗
047de66b 18.8 NVIDIA/OpenShell
Commit message
feat(bootstrap,cli): switch GPU injection to CDI where supported (#495)
Primary suspect file
crates/openshell-cli/src/bootstrap.rs (file score: 3)
Detection signals
surgical
2026-03-31 Evan Lezar View commit ↗
e8950e62 18.8 NVIDIA/OpenShell
Commit message
feat(sandbox): add L7 query parameter matchers (#617)
Primary suspect file
crates/openshell-sandbox/data/sandbox-policy.rego (file score: 3)
Detection signals
sec_file:policy[._/] moderate
2026-03-30 John T. Myers View commit ↗
834f8aa1 18.8 NVIDIA/OpenShell
Commit message
fix: security hardening batch 1 (SEC-002 through SEC-010) (#548)
Primary suspect file
crates/openshell-sandbox/src/proxy.rs (file score: 10)
Detection signals
large_penalty +sanitized +Unauthorized +blocklist
2026-03-23 John T. Myers View commit ↗
a9128482 18.8 NVIDIA/OpenShell
Commit message
refactor(build): unify image build graph for cache reuse (#390)
Primary suspect file
crates/openshell-core/build.rs (file score: 3)
Detection signals
surgical
2026-03-18 Drew Newberry View commit ↗
3a328be8 18.8 NVIDIA/OpenShell
Commit message
feat(inference): verify endpoints before saving routes (#291)
Primary suspect file
crates/openshell-bootstrap/src/docker.rs (file score: 3)
Detection signals
surgical
2026-03-16 Piotr Mlocek View commit ↗
72e02680 18.8 NVIDIA/OpenShell
Commit message
feat(sandbox): add gpu sandbox scheduling support (#257)
Primary suspect file
crates/openshell-cli/src/bootstrap.rs (file score: 3)
Detection signals
surgical
2026-03-13 Piotr Mlocek View commit ↗
7b0a2433 18.8 NVIDIA/OpenShell
Commit message
ci: remove sandbox docker build from publish and e2e workflows (#275)
Primary suspect file
crates/navigator-sandbox/src/l7/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-03-13 Drew Newberry View commit ↗
89d21d78 18.8 NVIDIA/OpenShell
Commit message
refactor(sandbox): sandboxes are managed as separate community images (#267)
Primary suspect file
deploy/docker/cluster-entrypoint.sh (file score: 3)
Detection signals
surgical
2026-03-13 Drew Newberry View commit ↗
95d7ae07 18.8 NVIDIA/OpenShell
Commit message
refactor(cli): remove kubeconfig port, add doctor llm-help, update debug docs (#252)
Primary suspect file
.env.example (file score: 3)
Detection signals
surgical
2026-03-12 Drew Newberry View commit ↗
f97270f9 18.8 NVIDIA/OpenShell
Commit message
refactor(docker): rename server image to gateway (#246)
Primary suspect file
deploy/docker/Dockerfile.cluster (file score: 3)
Detection signals
surgical
2026-03-11 Drew Newberry View commit ↗
1cf54ca0 18.8 NVIDIA/OpenShell
Commit message
feat(bootstrap): switch container registry from CloudFront CDN to GHCR with token auth (#167)
Primary suspect file
crates/navigator-cli/src/bootstrap.rs (file score: 3)
Detection signals
surgical
2026-03-10 Drew Newberry View commit ↗
91c7f84c 18.8 NVIDIA/OpenShell
Commit message
feat(sandbox): upgrade Landlock to ABI V2 and fix sandbox venv PATH (#151)
Primary suspect file
crates/navigator-sandbox/src/policy.rs (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-03-06 Drew Newberry View commit ↗
66df9f76 18.8 NVIDIA/OpenShell
Commit message
feat(tui): add port forwarding support to Gator (#81)
Primary suspect file
crates/navigator-cli/src/run.rs (file score: 3)
Detection signals
surgical
2026-03-04 John T. Myers View commit ↗
e0909850 18.8 NVIDIA/OpenShell
Commit message
test: bring back e2e tests on Github CI (#48)
Primary suspect file
crates/navigator-cli/src/main.rs (file score: 3)
Detection signals
surgical
2026-03-02 Drew Newberry View commit ↗
07b5ddac 18.8 NVIDIA/OpenShell
Commit message
feat(cluster): speed up local deploy loop with incremental change tracking (!53)
Primary suspect file
.env.example (file score: 3)
Detection signals
surgical
2026-02-25 Drew Newberry View commit ↗
1c939a25 18.8 NVIDIA/OpenShell
Commit message
feat(sandbox): enable port forwarding and setup openclaw (!33)
Primary suspect file
crates/navigator-core/src/proto/navigator.v1.rs (file score: 3)
Detection signals
surgical
2026-02-20 Drew Newberry View commit ↗
58beed85 18.8 NVIDIA/OpenShell
Commit message
chore: ssh session set_nodelay(true)
Primary suspect file
crates/navigator-cli/src/main.rs (file score: 3)
Detection signals
surgical
2026-02-16 Drew Newberry View commit ↗
6cf02641 18.8 NVIDIA/OpenShell
Commit message
refactor(sandbox): consolidate policy data into YAML, remove rego data file (!18)
Primary suspect file
dev-sandbox-policy.rego (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-02-13 Piotr Mlocek View commit ↗
aab1e342 18.8 NVIDIA/OpenShell
Commit message
fix(sandbox): enforce network namespace and proxy policy in SSH sessions (!17)
Primary suspect file
crates/navigator-sandbox/src/lib.rs (file score: 4)
Detection signals
+allowlist
2026-02-12 Piotr Mlocek View commit ↗
87b24465 18.8 NVIDIA/OpenShell
Commit message
feat(sandbox): OPA policy engine with process-identity binding
Primary suspect file
crates/navigator-cli/src/run.rs (file score: 3)
Detection signals
surgical
2026-02-10 John Myers View commit ↗
20ba66c6 18.8 NVIDIA/OpenShell
Commit message
fix(sandbox): add network namespace isolation for proxy mode
Primary suspect file
crates/navigator-sandbox/src/sandbox/linux/mod.rs (file score: 3)
Detection signals
surgical
2026-02-04 John Myers View commit ↗
d5d3c71e 18.8 NVIDIA/OpenShell
Commit message
feat(sandboxes): initial kube sandbox impl
Primary suspect file
.gitignore (file score: 3)
Detection signals
surgical
2026-02-04 Drew Newberry View commit ↗
5a15de63 18.8 NVIDIA/OpenShell
Commit message
feat(server): add support for entity persistence
Primary suspect file
crates/navigator-core/src/config.rs (file score: 3)
Detection signals
surgical
2026-02-03 Drew Newberry View commit ↗
1474dea7 18.8 NVIDIA/OpenShell
Commit message
feat(sandbox): add basic network and file sandbox support
Primary suspect file
.codex/skills (file score: 3)
Detection signals
surgical
2026-02-03 Drew Newberry View commit ↗
b0a719df 18.8 NVIDIA/OpenShell
Commit message
chore(platform): hello world, intial commit
Primary suspect file
crates/navigator-cli/src/lib.rs (file score: 3)
Detection signals
surgical
2026-01-29 Drew Newberry View commit ↗
e373f7c0 17.7 UNCLASSIFIED NVIDIA/OpenShell
Commit message
feat(inference): add sandbox-system inference route for platform-level inference (#209)
Primary suspect file
crates/navigator-router/src/config.rs (file score: 3)
Detection signals
surgical
2026-03-10 John T. Myers View commit ↗
463f65a0 17.5 NVIDIA/OpenShell
Commit message
fix(cli): support plaintext gateway registration (#824)
Primary suspect file
crates/openshell-cli/src/tls.rs (file score: 6)
Detection signals
sec_file:tls[._/] surgical
2026-04-14 Drew Newberry View commit ↗
f37b69b5 17.5 NVIDIA/OpenShell
Commit message
feat(sandbox): auto-detect TLS and terminate unconditionally for credential injection (#544)
Primary suspect file
crates/openshell-sandbox/data/sandbox-policy.rego (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-03-24 John T. Myers View commit ↗
1f2a85e8 17.5 NVIDIA/OpenShell
Commit message
fix(cli): clear stale last-used sandbox on deletion (#510)
Primary suspect file
crates/openshell-bootstrap/src/lib.rs (file score: 3)
Detection signals
surgical
2026-03-23 Serge Panev View commit ↗
1ad45b4a 17.5 NVIDIA/OpenShell
Commit message
fix(policy): enforce run_as_user/run_as_group must be 'sandbox' (#230)
Primary suspect file
crates/navigator-cli/src/run.rs (file score: 3)
Detection signals
surgical
2026-03-11 John T. Myers View commit ↗
a83109c3 17.5 NVIDIA/OpenShell
Commit message
fix(containers): remediate high-severity container vulnerabilities and remove openclaw (#191)
Primary suspect file
deploy/docker/Dockerfile.cluster (file score: 3)
Detection signals
surgical
2026-03-10 Drew Newberry View commit ↗
3d0c4d17 17.5 NVIDIA/OpenShell
Commit message
fix(security): add SSH session token expiry, connection limits, and lifecycle cleanup (#182)
Primary suspect file
crates/navigator-core/src/config.rs (file score: 3)
Detection signals
surgical
2026-03-09 John T. Myers View commit ↗
07b9d5d0 17.5 NVIDIA/OpenShell
Commit message
feat(cli): restructure CLI commands for simpler UX (#156)
Primary suspect file
crates/navigator-cli/src/bootstrap.rs (file score: 3)
Detection signals
surgical
2026-03-07 Drew Newberry View commit ↗
3da64744 17.5 NVIDIA/OpenShell
Commit message
feat(cli): add --from flag to sandbox create for unified image sources (#89)
Primary suspect file
crates/navigator-bootstrap/src/build.rs (file score: 3)
Detection signals
surgical
2026-03-05 Drew Newberry View commit ↗
5fd4885a 17.5 NVIDIA/OpenShell
Commit message
feat(sandbox): VS Code Remote-SSH support with platform detection fix and network policy (!42)
Primary suspect file
dev-sandbox-policy.rego (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-02-26 Drew Newberry View commit ↗
fcf12dff 16.2 NVIDIA/OpenShell
Commit message
feat(tui): support light terminal backgrounds with adaptive theme (#265)
Primary suspect file
crates/navigator-tui/src/ui/sandbox_policy.rs (file score: 5)
Detection signals
sec_file:policy[._/] surgical
2026-03-12 John T. Myers View commit ↗
1535f806 16.2 NVIDIA/OpenShell
Commit message
feat(sandbox): add configurable imagePullPolicy for sandbox pods (#256)
Primary suspect file
crates/navigator-core/src/config.rs (file score: 3)
Detection signals
surgical
2026-03-12 Drew Newberry View commit ↗
d94d4e11 16.2 NVIDIA/OpenShell
Commit message
feat(cluster): add NVIDIA GPU passthrough support for gateway start (#234)
Primary suspect file
crates/navigator-bootstrap/src/lib.rs (file score: 3)
Detection signals
surgical
2026-03-11 Drew Newberry View commit ↗
ed53c35d 16.2 NVIDIA/OpenShell
Commit message
feat(cli): improve sandbox provisioning status messages and UX (#175)
Primary suspect file
.env.example (file score: 3)
Detection signals
surgical
2026-03-08 Drew Newberry View commit ↗
ffeaf0dd 16.2 NVIDIA/OpenShell
Commit message
fix(sandbox): fix create ordering race, dual-registry credentials, and policy identity clearing (#176)
Primary suspect file
crates/navigator-bootstrap/src/docker.rs (file score: 3)
Detection signals
surgical
2026-03-08 Drew Newberry View commit ↗
8c634138 16.2 NVIDIA/OpenShell
Commit message
fix(docker): remediate container scan vulnerabilities across CI, cluster, and sandbox images (#144)
Primary suspect file
deploy/docker/Dockerfile.ci (file score: 3)
Detection signals
surgical
2026-03-06 Drew Newberry View commit ↗
9cd00bbf 16.2 NVIDIA/OpenShell
Commit message
fix(cluster): fully release resources on destroy to prevent port conflicts (#64)
Primary suspect file
crates/navigator-bootstrap/src/lib.rs (file score: 3)
Detection signals
surgical
2026-03-03 Drew Newberry View commit ↗
dafb7996 15.0 NVIDIA/OpenShell
Commit message
fix(docker): add openshell-prover to Dockerfile skeleton stages and provide z3 (#800)
Primary suspect file
deploy/docker/Dockerfile.cli-macos (file score: 3)
Detection signals
surgical
2026-04-11 John T. Myers View commit ↗
a8e9b43d 15.0 NVIDIA/OpenShell
Commit message
refactor(e2e): replace bash e2e tests with Rust integration tests (#150)
Primary suspect file
.gitignore (file score: 3)
Detection signals
surgical
2026-03-06 Drew Newberry View commit ↗
53899f92 15.0 NVIDIA/OpenShell
Commit message
chore(ci): switch sccache from local disk to memcached backend (#68)
Primary suspect file
deploy/docker/Dockerfile.python-wheels (file score: 3)
Detection signals
surgical
2026-03-03 Drew Newberry View commit ↗
b702b982 15.0 NVIDIA/OpenShell
Commit message
chore: cleanup and organize build files + publish containers
Primary suspect file
.gitignore (file score: 3)
Detection signals
surgical
2026-02-10 Drew Newberry View commit ↗