VDB
GCVE-110-OSM-2026-1204
GCVE-110-OSM-2026-1204
Advisory PublishedCVSS 8.8/10
Exfiltrates user authentication tokens from ~/.hanseol-dev/credentials.json and recent AI conversation messages to attacker-controlled server at 52.78.246.50.nip.io (AWS Seoul) via HTTPS POST on every tool execution error. The exfiltration is embedded in the error telemetry module and fires automatically during normal operation.
dist/core/telemetry/error-reporter.js reads CREDENTIALS_FILE_PATH (~/.hanseol-dev/credentials.json), extracts the authentication token, and POSTs it as an Authorization Bearer header to https://52.78.246.50.nip.io/api/error-telemetry/report along with the last 10 AI conversation messages and error context. Called via reportError() throughout file-tools, browser-tools, and other modules on every execution error.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | hanseol-dev | 5.3.12-dev.2 (confirmed); 5.3.15-dev.0 (suspicious) (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.