Skip to content

[Security Triage] Triage Report — 2026-03-26 #108

Open
Open
[Security Triage] Triage Report — 2026-03-26#108
Labels
security-triageSecurity triage tracking
@colin-d-fried

Description

@colin-d-fried
colin-d-fried
opened on Mar 26, 2026

[Security Triage] Triage Report — 2026-03-26

Summary

Metric Count
Total alerts reviewed 50
Classification: fix 50
Classification: false-positive 0
Fast-track (critical/high) 37
Batched (medium) 13

Breakdown by Severity

Severity Count Alerts
Critical 12 #3-5 (cmd injection), #22-27 (SSRF/XXE), #34-37 (deserialization/SSTI)
High 25 #1-2, #14-15 (SQL injection), #6-13 (Flask debug), #16-21 (weak crypto), #28-33 (path traversal/XML bomb)
Medium 13 #38-50 (XSS, command injection)

Breakdown by CWE Category

CWE Category Count Alerts
CWE-078 Command Injection 7 #3, #4, #5, #39, #40, #41, #42
CWE-089 SQL Injection 4 #1, #2, #14, #15
CWE-079 Cross-Site Scripting (XSS) 8 #38, #43, #44, #45, #46, #47, #48, #49, #50
CWE-918 Server-Side Request Forgery (SSRF) 5 #22-26
CWE-611 XML External Entity (XXE) 1 #27
CWE-776 XML Internal Entity Expansion 2 #32, #33
CWE-502 Unsafe Deserialization 3 #34, #35, #36
CWE-094 Server-Side Template Injection 1 #37
CWE-327 Weak Cryptographic Algorithm 6 #16-21
CWE-022 Path Traversal 4 #28-31
CWE-215 Flask Debug Mode 8 #6-13

Priority Tier Summary

  • Fast-track (critical + high): 37 alerts — processed first, each with individual branch and PR
  • Batched (medium): 13 alerts — XSS and other medium findings processed after fast-track items

Fix PRs

Critical Alerts (12)

Alert Description PR Tracking Issue Status
#3 Uncontrolled command line PR #65 #5 In Review
#4 Uncontrolled command line PR #66 #6 In Review
#5 Uncontrolled command line PR #67 #7 In Review
#22 Full SSRF PR #83 #24 In Review
#23 Full SSRF PR #83 #25 In Review
#24 Full SSRF PR #83 #26 In Review
#25 Full SSRF PR #83 #27 In Review
#26 Full SSRF PR #83 #28 In Review
#27 XML external entity expansion PR #85 #29 In Review
#34 Deserialization of user-controlled data PR #86 #36 In Review
#35 Deserialization of user-controlled data PR #87 #37 In Review
#36 Deserialization of user-controlled data PR #88 #38 In Review
#37 Server-Side Template Injection PR #63 #39 In Review

High Alerts (25)

Alert Description PR Tracking Issue Status
#1 SQL injection PR #80 #3 In Review
#2 SQL injection PR #81 #4 In Review
#6 Flask debug mode PR #72 #8 In Review
#7 Flask debug mode PR #73 #9 In Review
#8 Flask debug mode PR #74 #10 In Review
#9 Flask debug mode PR #75 #11 In Review
#10 Flask debug mode PR #76 #12 In Review
#11 Flask debug mode PR #77 #13 In Review
#12 Flask debug mode PR #78 #14 In Review
#13 Flask debug mode PR #79 #15 In Review
#14 SQL injection PR #82 #16 In Review
#15 SQL injection PR #89 #17 In Review
#16 Weak cryptographic hashing PR #90 #18 In Review
#17 Weak cryptographic hashing PR #91 #19 In Review
#18 Weak cryptographic hashing PR #92 #20 In Review
#19 Weak cryptographic algorithm PR #93 #21 In Review
#20 Weak cryptographic algorithm PR #94 #22 In Review
#21 Weak cryptographic algorithm PR #95 #23 In Review
#28 Path traversal PR #96 #30 In Review
#29 Path traversal PR #97 #31 In Review
#30 Path traversal PR #98 #32 In Review
#31 Path traversal PR #99 #33 In Review
#32 XML internal entity expansion PR #100 #34 In Review
#33 XML internal entity expansion PR #101 #35 In Review

Medium Alerts (13)

Alert Description PR Tracking Issue Status
#38 Reflected XSS PR #58 #40 In Review
#39 Command line injection PR #68 #41 In Review
#40 Command line injection PR #69 #42 In Review
#41 Command line injection PR #70 #43 In Review
#42 Command line injection PR #71 #44 In Review
#43 Reflected XSS PR #102 #45 In Review
#44 Reflected XSS PR #60 #46 In Review
#45 Reflected XSS PR #103 #47 In Review
#46 Reflected XSS PR #104 #48 In Review
#47 Reflected XSS PR #105 #49 In Review
#48 Reflected XSS PR #106 #50 In Review
#49 Reflected XSS PR #107 #51 In Review
#50 Reflected XSS PR #61 #52 In Review

GitHub Projects Board

Note: The GitHub PAT token used for this triage does not have the read:project scope required to interact with the Projects board (#4). Tracking issues have been created for all 50 alerts and should be manually added to the Projects board. Each issue should be set to In Review status since all alerts have corresponding open PRs.

Alerts Needing Human Judgment

None — all 50 alerts were classified as fix with proposed remediation PRs. All PRs are ready for human review and merge.

Next Steps

  1. Review and merge each fix PR
  2. CodeQL alerts will auto-resolve when their corresponding PRs are merged into main
  3. Add tracking issues to the Projects board and set status to In Review
  4. After all PRs are merged, update Projects board items to Done

Generated by automated CodeQL triage on 2026-03-26

Metadata

Metadata

Assignees

No one assigned

    Labels

    security-triageSecurity triage tracking

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions