Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Labels Milestones New Issue
10 Open 48 Closed
Label
Clear labels
cdp
epic
not-applicable
security
Milestone
No milestone
Projects
Clear projects
Assignee
Clear assignees
No assignee
Hartmut
Security [MEDIUM]: Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion security
#58 by Hartmut was closed 2026-04-17 09:30:58 +02:00 0 / 3
1
Security [MEDIUM]: RBAC permissions cache 60 s — revocation propagates slowly across instances security
#57 by Hartmut was closed 2026-04-17 13:01:39 +02:00 0 / 3
1
Security [MEDIUM]: Password-policy client/server divergence + weak secret-entropy check security
#56 by Hartmut was closed 2026-04-17 14:57:17 +02:00 0 / 3
1
Security [MEDIUM]: Audit log fire-and-forget drops entries on DB load + no prompt-input audit security
#55 by Hartmut was closed 2026-04-17 15:07:02 +02:00 0 / 3
1
Security [MEDIUM]: Dispo workbook path unvalidated + image upload polyglot risk security
#54 by Hartmut was closed 2026-04-17 15:27:07 +02:00 0 / 3
1
Security [MEDIUM]: AI-tool error messages leak Prisma schema details to LLM security
#53 by Hartmut was closed 2026-04-17 09:40:18 +02:00 0 / 3
1
Security [MEDIUM]: Blueprint validator uses native RegExp — admin-set pattern enables ReDoS security
#52 by Hartmut was closed 2026-04-17 09:33:58 +02:00 0 / 3
1
Security [MEDIUM]: Systematic Zod .max() audit — 202 unbounded z.string() sites security
#51 by Hartmut was closed 2026-04-18 13:53:28 +02:00 0 / 4
Security [HIGH]: Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image security
#50 by Hartmut was closed 2026-04-17 14:51:17 +02:00 0 / 5
1
Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection security
#49 by Hartmut was closed 2026-04-17 09:29:06 +02:00 0 / 3
1
Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata security
#48 by Hartmut was closed 2026-04-17 09:29:05 +02:00 0 / 3
1
Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks security
#47 by Hartmut was closed 2026-04-17 09:28:15 +02:00 0 / 4
1
Security [HIGH]: Pino logger has no redact paths — passwords/tokens logged cleartext security
#46 by Hartmut was closed 2026-04-17 09:29:43 +02:00 0 / 3
1
Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP security
#45 by Hartmut was closed 2026-04-17 09:29:04 +02:00 0 / 4
1
Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access security
#44 by Hartmut was closed 2026-04-17 09:29:04 +02:00 0 / 3
1
Security [HIGH]: MFA TOTP replay-race + missing backup codes security
#43 by Hartmut was closed 2026-04-17 09:29:25 +02:00 0 / 3
1
Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production security
#42 by Hartmut was closed 2026-04-17 09:29:04 +02:00 0 / 3
1
Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure security
#41 by Hartmut was closed 2026-04-17 09:29:03 +02:00 0 / 3
1
Security [HIGH]: Login timing attack enables user-email enumeration security
#40 by Hartmut was closed 2026-04-17 09:29:03 +02:00 0 / 3
1
Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization) security
#39 by Hartmut was closed 2026-04-17 09:29:02 +02:00 0 / 3
1