Openjsf CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Openjsf CVE published 2026-05-18

CVE-2026-25244

CVE-2026-25244 is a critical command injection issue in WebdriverIO versions below 9.24.0. The vulnerable path can pass Git branch names containing shell metacharacters into execSync() without sanitization through getGitMetadataForAISelection(), which can allow arbitrary command execution during test orchestration. The impact is especially serious for CI/CD runners and developer workstations that process [truncated]

MEDIUM Openjsf CVE published 2017-01-23

CVE-2015-8856

CVE-2015-8856 is a cross-site scripting issue in the Node.js serve-index package before 1.6.3. If an attacker can influence a file or directory name that is rendered in a directory listing, the generated page may include attacker-controlled script or HTML. The CVE record was published on 2017-01-23, while the referenced advisory material dates to 2016-04-20.