https://github.com/wekan/wekan.git ·
lang: javascript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AGT015 Remote install command pipes network code directly to a she… |
medium | 10 |
DKC009 Compose service bind-mounts a sensitive host path |
high | 8 |
MINED111 Bare except continues silently |
medium | 5 |
MINED044 Js Console Log Prod |
info | 4 |
SEC020 Secret Printed to Logs |
high | 4 |
SEC132 String concat where the language has interpolation (AI styl… |
low | 4 |
MINED123 Trojan Source bidi character in source (CVE-2021-42574) |
critical | 4 |
DKC007
Compose service contains a literal secret environment value
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:93
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112
· conf 0.96
Compose service contains a literal secret environment valueDKR005
Docker image bakes a secret-like ENV value
.devcontainer/Dockerfile:15
· conf 0.96
Docker image bakes a secret-like ENV valueDKR005
Docker image bakes a secret-like ENV value
Dockerfile:15
· conf 0.96
Docker image bakes a secret-like ENV valueMINED013
Password In Url
CWE-200
docs/Platforms/FOSS/Docker/Meteor3/1createdb.sh:63
· conf 1.00
[MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.MINED013
Password In Url
CWE-200
stacksmith/user-scripts/boot.sh:11
· conf 1.00
[MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.MINED107
Missing Python import (NameError at runtime)
CWE-1075
openapi/generate_openapi.py:490
· conf 1.00
[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes.MINED123
Trojan Source bidi character in source (CVE-2021-42574)
CWE-1007
packages/wekan-fullcalendar/fullcalendar/locale-all.js:1
· conf 0.90
[MINED123] Trojan Source bidi character (RLM) in source: Line 1 contains a Unicode bidirectional override character (U+200F RLM). This is the 'Trojan Source' attack (CVE-2021-42574): the character ma…MINED123
Trojan Source bidi character in source (CVE-2021-42574)
CWE-1007
packages/wekan-fullcalendar/fullcalendar/locale/ar.js:1
· conf 0.90
[MINED123] Trojan Source bidi character (RLM) in source: Line 1 contains a Unicode bidirectional override character (U+200F RLM). This is the 'Trojan Source' attack (CVE-2021-42574): the character ma…MINED123
Trojan Source bidi character in source (CVE-2021-42574)
CWE-1007
packages/wekan-fullcalendar/fullcalendar/locale/ar-ly.js:1
· conf 0.90
[MINED123] Trojan Source bidi character (RLM) in source: Line 1 contains a Unicode bidirectional override character (U+200F RLM). This is the 'Trojan Source' attack (CVE-2021-42574): the character ma…MINED123
Trojan Source bidi character in source (CVE-2021-42574)
CWE-1007
releases/translations/old-pull-translations.sh:150
· conf 0.90
[MINED123] Trojan Source bidi character (LRM) in source: Line 150 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character …SEC022
Database URL With Embedded Credential
stacksmith/user-scripts/boot.sh:11
· conf 1.00
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…DKC009
Compose service bind-mounts a sensitive host path
.devcontainer/docker-compose.yml:4
· conf 0.90
Compose service bind-mounts a sensitive host pathDKC009
Compose service bind-mounts a sensitive host path
.devcontainer/docker-compose.yml:18
· conf 0.90
Compose service bind-mounts a sensitive host pathDKC009
Compose service bind-mounts a sensitive host path
docker-compose.yml:224
· conf 0.90
Compose service bind-mounts a sensitive host pathDKC009
Compose service bind-mounts a sensitive host path
docker-compose.yml:265
· conf 0.90
Compose service bind-mounts a sensitive host pathDKC009
Compose service bind-mounts a sensitive host path
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:93
· conf 0.90
Compose service bind-mounts a sensitive host pathDKC009
Compose service bind-mounts a sensitive host path
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112
· conf 0.90
Compose service bind-mounts a sensitive host pathDKC009
Compose service bind-mounts a sensitive host path
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147
· conf 0.90
Compose service bind-mounts a sensitive host pathDKC009
Compose service bind-mounts a sensitive host path
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:709
· conf 0.90
Compose service bind-mounts a sensitive host pathDKC011
Database service publishes a host port
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:709
· conf 0.84
Database service publishes a host portDKC013
Database service has no persistent data volume
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112
· conf 0.90
Database service has no persistent data volumeMINED012
Curl Pipe Bash
CWE-494
releases/install-sandstorm.sh:4
· conf 1.00
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:104
· conf 1.00
[MINED108] `self._decode` used but never assigned in __init__: Method `decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback)…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:113
· conf 1.00
[MINED108] `self._decode` used but never assigned in __init__: Method `_decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:115
· conf 1.00
[MINED108] `self._decode` used but never assigned in __init__: Method `_decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:165
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `compute_path` of class `EntryPoint` reads `self._path`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:179
· conf 1.00
[MINED108] `self.log` used but never assigned in __init__: Method `error` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:182
· conf 1.00
[MINED108] `self.log` used but never assigned in __init__: Method `warn` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises …MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:185
· conf 1.00
[MINED108] `self.log` used but never assigned in __init__: Method `info` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises …MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:258
· conf 1.00
[MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:271
· conf 1.00
[MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:301
· conf 1.00
[MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:324
· conf 1.00
[MINED108] `self.info` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.info`, but no assignment to it exists in __init__ (and no class-level fallback). This raises…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:344
· conf 1.00
[MINED108] `self.doc_param` used but never assigned in __init__: Method `print_openapi_param` of class `EntryPoint` reads `self.doc_param`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:392
· conf 1.00
[MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:396
· conf 1.00
[MINED108] `self.error` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.error`, but no assignment to it exists in __init__ (and no class-level fal…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:399
· conf 1.00
[MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:414
· conf 1.00
[MINED108] `self.operationId` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.operationId`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:416
· conf 1.00
[MINED108] `self.summary` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.summary`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:417
· conf 1.00
[MINED108] `self.summary` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.summary`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:419
· conf 1.00
[MINED108] `self.description` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.description`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:427
· conf 1.00
[MINED108] `self.tags` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.tags`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:429
· conf 1.00
[MINED108] `self.tags` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.tags`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:449
· conf 1.00
[MINED108] `self.print_openapi_param` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.print_openapi_param`, but no assignment to it exists in __init__ (a…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:458
· conf 1.00
[MINED108] `self.returns` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.returns`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:460
· conf 1.00
[MINED108] `self.returns` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.returns`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
openapi/generate_openapi.py:460
· conf 1.00
[MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __init__ …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:21
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:58
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:61
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:107
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:115
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:137
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/playwright.yml:140
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:43
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:96
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:101
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:108
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:120
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:141
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:174
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:205
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:234
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:271
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:300
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:337
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:409
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:422
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:456
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:471
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-all.yml:477
· conf 0.90
[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v3`: `uses: softprops/action-gh-release@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
.devcontainer/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
.gitpod.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `gitpod/workspace-mongodb (no tag)` not pinned by digest: `FROM gitpod/workspace-mongodb (no tag)` resolves the tag at build time. The registry CAN re-push a different imag…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/playwright.yml:49
· conf 0.90
[MINED126] Workflow container/services image `mongo:7` unpinned: `container/services image: mongo:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container reference…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/playwright.yml:128
· conf 0.90
[MINED126] Workflow container/services image `mongo:7` unpinned: `container/services image: mongo:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container reference…SEC027
XML External Entity (XXE) — Node.js xml parsers
packages/wekan-accounts-cas/cas_server.js:63
· conf 1.00
[SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
client/00-startup.js:10
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
client/components/gantt/gantt.js:97
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
models/attachments.js:160
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC078
Python: requests without timeout
docs/ImportExport/trello/api.py:86
· conf 1.00
[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…SEC083
JS: new RegExp() with non-literal
client/components/settings/translationBody.js:106
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
models/attachments.js:41
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
models/avatars.js:43
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
server/models/activities.js:171
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC100
CORS permissive Access-Control-Allow-Origin: *
server/routes/customHeadAssets.js:33
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
client/components/activities/comments.js:42
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
client/components/settings/lockedUsersBody.js:138
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
client/components/sidebar/sidebarCustomFields.js:243
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT005
Calendar/event date parsing can crash on malformed persisted data
client/components/gantt/gantt.js:110
· conf 0.76
Calendar/event date parsing can crash on malformed persisted dataAGT005
Calendar/event date parsing can crash on malformed persisted data
models/csvCreator.js:310
· conf 0.76
Calendar/event date parsing can crash on malformed persisted dataAGT007
localStorage write failures are swallowed silently
client/components/swimlanes/swimlanes.js:106
· conf 0.80
localStorage write failures are swallowed silentlyAGT015
Remote install command pipes network code directly to a shell
docs/Databases/FerretDB2-PostgreSQL.md:28
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/DeveloperDocs/Debugging.md:99
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/Platforms/FOSS/Sandstorm/Building-Wekan-for-Sandstorm.md:62
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/Platforms/FOSS/Sandstorm/Developing-Wekan-for-Sandstorm.md:15
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/Platforms/FOSS/Source/Install-from-source-without-root.md:10
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/Platforms/FOSS/Source/Source.md:23
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
.github/workflows/playwright.yml:27
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
.github/workflows/release-all.yml:127
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
README.md:127
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
.travis.yml:12
· conf 0.70
Remote install command pipes network code directly to a shellAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.DKC014
Database data bind mount is inside the Docker build context
.devcontainer/docker-compose.yml:4
· conf 0.84
Database data bind mount is inside the Docker build contextDKC015
Database service has no healthcheck
.devcontainer/docker-compose.yml:4
· conf 0.88
Database service has no healthcheckDKC015
Database service has no healthcheck
docker-compose.yml:224
· conf 0.88
Database service has no healthcheckDKC015
Database service has no healthcheck
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112
· conf 0.88
Database service has no healthcheckDKC015
Database service has no healthcheck
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:709
· conf 0.88
Database service has no healthcheckDKR002
Dockerfile base image has no explicit tag
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147
· conf 0.90
Compose service `wekan` image has no explicit tagDKR003
Dockerfile base image uses the latest tag
docker-compose.yml:265
· conf 0.94
Compose service `wekan` image uses the latest tagERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
client/00-startup.js:15
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
client/components/unicode-icons.js:66
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
server/models/activities.js:313
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.MINED111
Bare except continues silently
api.py:389
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
api.py:412
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
api.py:568
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
api.py:785
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openapi/generate_openapi.py:811
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC002
Hardcoded API Key
docs/ImportExport/asana/export_boards.pl:11
· conf 0.30
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC015
Insecure Randomness for Security
models/usersessiondata.js:232
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/wekan-accounts-cas/cas_client_cordova.js:65
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/wekan-accounts-cas/cas_client.js:115
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
server/models/activities.js:171
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC046
Client-side open redirect — window.location = server-supplied URL
config/accounts.js:128
· conf 1.00
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…SEC046
Client-side open redirect — window.location = server-supplied URL
packages/wekan-accounts-cas/cas_client.js:51
· conf 1.00
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB004
robots.txt blocks the full public site
public/robots.txt
· conf 0.86
robots.txt blocks the full public siteWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyAIC003
Duplicated implementation block across source files
client/components/cards/cardDate.js:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/components/lists/listHeader.js:343
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/components/rules/actions/checklistActions.js:45
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/components/settings/adminReports.js:243
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/components/swimlanes/swimlaneHeader.js:45
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/components/swimlanes/swimlanes.js:412
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/components/swimlanes/swimlanes.js:569
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/components/users/userHeader.js:264
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/config/blazeHelpers.js:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/config/blazeHelpers.js:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/lib/filter.js:4
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/lib/filter.js:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
client/lib/pasteImage.js:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
config/query-classes.js:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
config/query-classes.js:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
imports/lib/secureDOMPurify.js:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/accountSettings.js:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/announcements.js:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/announcements.js:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/avatars.js:20
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/cardComments.js:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/cardComments.js:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/checklistItems.js:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/checklists.js:20
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/checklists.js:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/checklists.js:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/customFields.js:76
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/exportExcel.js:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/exportPDF.js:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
models/exportPDF.js:37
· conf 0.86
Duplicated implementation block across source filesDKC006
Compose service does not declare a runtime user
docker-compose.yml:265
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
.devcontainer/docker-compose.yml:18
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:265
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC016
App service does not wait for database health
.devcontainer/docker-compose.yml:18
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147
· conf 0.68
App service does not wait for database healthDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsSEC006
XSS Risk
config/accounts.js:120
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC132
String concat where the language has interpolation (AI style drift)
docs/ImportExport/trello/api.py:155
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
models/server/metrics.js:220
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
npm-packages/meteor-jade-loader/index.js:30
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…WEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB005
robots.txt does not advertise a sitemap
public/robots.txt
· conf 0.74
robots.txt does not advertise a sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtMINED043
Http Not Https
CWE-319
docs/Webserver/nginx/nginx.conf:85
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
server/authentication.js:175
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
stacksmith/user-scripts/build.sh:14
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 38 more): Same pattern found in 38 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
client/00-startup.js:28
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
client/components/boards/originalPositionsView.js:25
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
client/components/common/originalPosition.js:23
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED047
Emoji In Source
packages/wekan-fullcalendar/fullcalendar/locale/is.js:1
· conf 1.00
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED047
Emoji In Source
packages/wekan-fullcalendar/fullcalendar/locale/ro.js:1
· conf 1.00
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED047
Emoji In Source
packages/wekan-fullcalendar/fullcalendar/locale/vi.js:1
· conf 0.10
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED049
Print Pii
CWE-532
docs/ImportExport/trello/api.py:63
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED067
Python Requests No Timeout
CWE-400
docs/ImportExport/trello/api.py:86
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED098
Global Scope Pollution
packages/wekan-accounts-cas/cas_client.js:51
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC020
Secret Printed to Logs
docs/ImportExport/trello/api.py:63
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
models/exportExcel.js:63
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
models/export.js:62
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed.SEC083
JS: new RegExp() with non-literal
[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC132
String concat where the language has interpolation (AI style drift)
[SEC132] String concat where the language has interpolation (AI style drift) (and 5 more): Same pattern found in 5 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/5937a6d5-bde9-481f-adad-93b0de1062da/.