A log of vulnerabilities DepthFirst has reported and responsibly disclosed. depthfirst contributes and patches when project's security policys allow.
- CVE-2025-59304 Swetrix Web Analytics RCE | depthfirst Patch
- CVE-2025-59305 Langfuse Data Corruption and Denial of Service
- CVE-2025-59419 Netty Library Email Authentication Bypass SMTP Injection | depthfirst Patch
- [CVE Pending] Bludit CMS Authentication Bypass | depthfirst Patch
- [CVE Pending] Bludit CMS RCE via Webhook Secret Bypass | depthfirst Patch
- [CVE Pending] XORM Database Library (used by Grafana) Arbitrary Data Manipulation | depthfirst Patch
- [CVE Pending] Expensify Secure Authorization Bypass
- CVE-2025-64721 Sandboxie Sandbox Escape & Privilege Escalation to SYSTEM
- CVE-2025-14986 Temporal Cross-Tenant Data Leak and Policy Bypass
- [CVE Pending] Walkdir Rust Library Symlink traversal and Defensive Bypass
- [CVE Pending] OpenClaw/MoltBot/ClawdBot 1-Click RCE
- [CVE Pending] [Fully Redacted (unpatched)]
- [CVE Pending] [Fully Redacted (unpatched)]
- [CVE Pending] [Fully Redacted (unpatched)]
Unpatched vulnerabilities remain private until vendors have had the opportunity to release fixes.
Security-adjacent bugs found and fixed by depthfirst in OSS
We follow a 90 day disclosure standard