OpenCode AI Coding Agent RCE via Unauthenticated Local Server and Web UI XSS
Security researchers disclosed two high-severity vulnerabilities in the open-source OpenCode AI coding agent that can allow arbitrary command execution on a developer workstation in drive-by scenarios. CVE-2026-22812 stems from OpenCode automatically starting an unauthenticated HTTP server with permissive CORS (Access-Control-Allow-Origin: *), enabling any local process—or a malicious website via cross-origin requests—to invoke sensitive local API endpoints and execute shell commands with the user’s privileges. Separately, CVE-2026-22813 is a critical issue in the OpenCode web UI where the markdown renderer can inject arbitrary HTML into the DOM without sanitization (no DOMPurify and no CSP), enabling JavaScript execution on the http://localhost:4096 origin and subsequent access to local APIs that can spawn processes.
Mitigations are available for both OpenCode issues: CVE-2026-22812 is fixed in OpenCode 1.0.216, and CVE-2026-22813 is fixed in OpenCode 1.1.10. Other items in the set describe unrelated vulnerabilities in different products (e.g., a command-injection flaw in an end-of-life VS Code extension, unsafe deserialization in LlamaIndex, ReDoS in LangChain, and various web app SQLi/XSS/access-control issues) and do not materially change the OpenCode risk picture; they should be tracked separately by affected-asset ownership and exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Technical details published on drive-by exploitation via malicious websites
Follow-up reporting explained that CVE-2026-22813 exploited an XSS condition in OpenCode's web UI and that CVE-2026-22812 involved an unauthenticated HTTP server with permissive CORS. The report highlighted exposed endpoints capable of spawning processes and reading arbitrary files from disk through localhost:4096.
Advisories disclose CVE-2026-22812 and CVE-2026-22813 in OpenCode
Security advisories disclosed CVE-2026-22812 and CVE-2026-22813, describing how malicious websites could abuse OpenCode's localhost services and web UI to execute commands on a developer's machine. The disclosures identified affected versions as OpenCode releases before 1.0.216 and rated the flaws high severity.
OpenCode releases version 1.0.216 to fix two critical flaws
OpenCode fixed two high-severity vulnerabilities affecting versions prior to 1.0.216, including an unauthenticated local HTTP server issue and an XSS flaw in the web UI. Updating to version 1.0.216 or later mitigates arbitrary command execution and related local file access risks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Critical OpenCode Flaws Let Websites Hijack Your PC
securityonline.info
Open sourceCVE-2026-22812 - OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
cvefeed.io
Open sourceCVE-2026-22813 - Malicious website can execute commands on the local system through XSS in the OpenCode web UI
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ox Security disclosures of high-severity vulnerabilities in popular VSCode extensions
Security researchers at **Ox Security** reported multiple high-to-critical vulnerabilities in widely used *Visual Studio Code* extensions—collectively exceeding **128 million downloads**—that could enable **local file exfiltration** and **code execution** in developer environments. The issues highlighted include **Live Server** (**CVE-2025-65717**), **Code Runner** (**CVE-2025-65715**, referenced in reporting but not included as a CVE entry here), **Markdown Preview Enhanced** (**CVE-2025-65716**), and *Microsoft Live Preview* (no CVE cited in the reporting). Ox Security stated it attempted disclosure starting in June 2025 but did not receive responses from maintainers, warning that exploitation could support **lateral movement**, **data theft**, and **system takeover** in corporate networks where developer workstations are a pivot point. The CVE records included in this set describe two of the extension flaws in more detail: **CVE-2025-65717** (Live Server v5.7.9) allows attackers to **exfiltrate files** when a user interacts with a crafted HTML page, and **CVE-2025-65716** (Markdown Preview Enhanced v0.8.18) can lead to **arbitrary code execution** via a crafted `.md` file (user interaction required). Other items in the feed are unrelated, covering a broad mix of independent vulnerabilities (e.g., Tenable Security Center command injection, LightLLM unsafe deserialization RCE, libvpx heap overflow affecting Firefox/Thunderbird, and multiple router/IoT hard-coded credential and command-injection issues) and should not be treated as part of the VSCode-extension disclosure story.
Mar 21, 2026
Critical Vulnerabilities in Popular VS Code Extensions Enable Local File Theft and Code Execution
Security researchers at **OX Security** disclosed multiple vulnerabilities across widely used Microsoft Visual Studio Code extensions—**Live Server**, **Code Runner**, **Markdown Preview Enhanced**, and **Microsoft Live Preview**—with combined installs reported at **125–128 million**. The issues enable attacks ranging from **local file exfiltration** to **arbitrary code/JavaScript execution**, and highlight how a single vulnerable or malicious extension can be leveraged for broader compromise and potential lateral movement in developer environments. Reported flaws include **CVE-2025-65717** (Live Server; CVSS 9.1) enabling local file theft by luring a developer to a malicious site while the extension’s local server is running (e.g., `localhost:5500`), **CVE-2025-65716** (Markdown Preview Enhanced; CVSS 8.8) allowing arbitrary JavaScript execution via a crafted `.md` file with subsequent local port enumeration and exfiltration, and **CVE-2025-65715** (Code Runner; CVSS 7.8) enabling code execution by tricking users into modifying `settings.json`. Separate reporting on **Microsoft Live Preview** describes a **one-click reflected XSS** and unauthenticated request abuse against the extension’s local development server to enumerate and exfiltrate sensitive files (e.g., `.env`, API keys, source code); this Live Preview issue was reported as patched in version **0.4.16** via input sanitization (e.g., an `escapeHTML` function), while other extension issues were described as **unpatched** at the time of reporting.
Mar 21, 2026
OpenClaw (ClawdBot/Moltbot) One-Click Remote Code Execution via Unsafe Gateway URL Handling
A **critical one-click remote code execution (RCE)** issue was reported in *OpenClaw* (also referred to as **ClawdBot/Moltbot**), an open-source AI “agent” assistant that runs with high local privileges and access to sensitive data (e.g., messaging apps and API keys). The described exploit chain abuses **unsafe URL parameter ingestion** (e.g., a `gatewayUrl` query parameter accepted without validation), persistence of attacker-controlled values (stored in `localStorage`), and an **automatic gateway connection** that transmits an `authToken` during the handshake—enabling **cross-site WebSocket hijacking** and ultimately unauthenticated code execution after a victim clicks a single malicious link. Reporting indicates the flaw has been **weaponized**, making it a practical drive-by compromise path for endpoints running the assistant. Separate reporting highlighted broader concerns with agentic/open-source AI tooling and deployments, including the security risks of highly privileged “AI that acts for you” and the growing attack surface created by exposed AI services. Research cited large-scale internet exposure of open-source LLM runtimes (e.g., **Ollama**) with tool-calling and weak guardrails, warning that a single vulnerability or misconfiguration could enable widespread abuse (resource hijacking, identity laundering, or remote execution of privileged operations). These themes reinforce that AI agents and self-hosted AI stacks should be treated as **critical infrastructure**, with strict input validation, hardened update/connection flows, and strong monitoring around token handling and outbound connections.
Mar 21, 2026