CriticalCWE-918Fixed
Sebastion AI security score
0x4m4/hexstrike-ai
B
- 6 May 2026
- 1,284,902
- 11
Last audited
Lines scanned
PRs merged
2
Critical7
High19
Medium34
LowCWE breakdown
What we found, by category.
CWE-79
Cross-site scripting in HTML output
14
CWE-89
SQL injection through unsanitised query construction
3
CWE-22
Path traversal in file system access
8
CWE-918
Server-side request forgery to internal services
6
CWE-78
OS command injection through unescaped arguments
2
CWE-352
Cross-site request forgery on state-changing endpoints
5
Recent findings
Filed and tracked.
CriticalCWE-22Open
Path traversal via unvalidated route segment in static export
HighCWE-79Fixed
Reflected XSS in dev overlay error frame renderer
HighCWE-352Open
CSRF token not validated on server action revalidation endpoint
HighCWE-78Won't fix
Command injection through user-supplied build env in turbo runner
MediumCWE-79Fixed
DOM XSS via unsanitised hash fragment in router fallback
MediumCWE-89Open
SQL injection in example app data adapter
Embed
Show the audit on your README.
Drop this in your README to show the audit.[](https://foundationmachines.ai/scores/0x4m4/hexstrike-ai)Methodology
How we score.
Every commit is run through static analysis, dynamic fuzzing in an ephemeral microVM and an LLM-assisted review tuned for the AI stack. Three lenses on the same code.
We trace data flow from sources like request bodies, env vars and uploaded files all the way to sinks like SQL clients, shell invocations and outbound HTTP. No taint, no finding.
Nothing is reported without a working proof-of-concept test that triggers the vulnerability. Findings ship with a draft PR you can merge, not a backlog you have to triage.
Get this score for your repo.
Install Sebastion AI on GitHub and get a security score for every PR.