VDB

GCVE-110-OSM-2026-1204

GCVE-110-OSM-2026-1204
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published March 31, 2026
Exfiltrates user authentication tokens from ~/.hanseol-dev/credentials.json and recent AI conversation messages to attacker-controlled server at 52.78.246.50.nip.io (AWS Seoul) via HTTPS POST on every tool execution error. The exfiltration is embedded in the error telemetry module and fires automatically during normal operation. dist/core/telemetry/error-reporter.js reads CREDENTIALS_FILE_PATH (~/.hanseol-dev/credentials.json), extracts the authentication token, and POSTs it as an Authorization Bearer header to https://52.78.246.50.nip.io/api/error-telemetry/report along with the last 10 AI conversation messages and error context. Called via reportError() throughout file-tools, browser-tools, and other modules on every execution error.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownhanseol-dev5.3.12-dev.2 (confirmed); 5.3.15-dev.0 (suspicious) (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›