issues Search Results · language:Dune language:Python language:JavaScript language:JavaScript language:CSS linked:pr
Filter by
4.5M results
Severity: Informational / hardening · From security review report.
Where
app/config.py:55-57 writes the generated secret to data/.session_secret with default perms (readable by other local
users on a ...
security
severity:info
web1701
Severity: Informational / hardening · From security review report.
Where
run.py:14 — uvicorn.run(..., host= 0.0.0.0 , reload=True).
Fix
Document a production launch profile: drop reload, bind to the ...
security
severity:info
Severity: Informational / hardening · From security review report.
Where
app/enrichment/web.py:94-99 allowlists the initial URL host (good; file:// implicitly rejected). But
urllib.request.urlopen (_fetch, ...
security
severity:info
Severity: Low · CWE-1104 · From security review report.
Where
requirements.txt, requirements-dev.txt use floating = constraints with no lockfile/hashes.
Impact
Non-reproducible builds; exposure to ...
security
severity:low
Severity: Low · CWE-613 · From security review report.
Where
app/config.py:41-57 (single persistent secret); app/routers/api.py:355-374 (change_password doesn t invalidate other
sessions).
Impact
A ...
security
severity:low
Severity: Low · CWE-352 · From security review report.
Where
app/routers/auth_routes.py:114-118 (@router.get( /logout )); sidebar link templates/base.html:37.
Impact
A third-party page (img src= .../logout ...
security
severity:low
Severity: Low · CWE-204 · From security review report.
Where
app/routers/auth_routes.py:81-84 returns An account with that email already exists. Login already uses a generic
message.
Impact
Lets an ...
security
severity:low
Severity: Low · CWE-79 · From security review report.
Where
static/js/cigar_form.js:14-18 ratingRow() injects value= ${source || } into innerHTML unescaped. Reached via edit and
the ?clone= path (:159); ...
security
severity:low
Severity: Medium · CWE-307 · From security review report.
Where
app/routers/auth_routes.py:99-110 (/login) — no throttling/lockout/backoff. scrypt cost helps but attempts are
unbounded.
Impact
Online ...
security
severity:medium
Severity: Medium · CWE-693 / CWE-1021 · From security review report.
Where
app/main.py installs only SessionMiddleware — no CSP, X-Content-Type-Options, X-Frame-Options/frame-ancestors, or
Referrer-Policy. ...
security
severity:medium
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.