Search results

Dependency regression detected by npm audit (weekly)

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

Status: Open.

#40 In OrbitChainLabs/OrbitChain-API;

· github-actions opened on Jun 22, 2026

[CRITICAL] — PATCH /campaigns/:id is an IDOR: any authenticated wallet holder can overwrite *any* campaign's title, description, story, and image

bugSomething isn't workingSomething isn't working

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

securitySecurity vulnerability or hardeningSecurity vulnerability or hardening

Status: Open.

#19 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[LOW] — Widespread @Request() req: any, @Req() req: Request & { user: any }, and as any patterns defeat type safety across ~30 call sites

good first issueGood for newcomersGood for newcomers

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

help wantedExtra attention is neededExtra attention is needed

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

refactoringCode restructuring without behavioural changeCode restructuring without behavioural change

Status: Open.

#17 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[MEDIUM] — Three independent Redis client connections across CacheModule, ThrottlerRedisStorage, and RedisHealthIndicator; no shared connection pool

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

help wantedExtra attention is neededExtra attention is needed

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

refactoringCode restructuring without behavioural changeCode restructuring without behavioural change

Status: Open.

#14 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[MEDIUM] — Stellar event listener persists cursor in cache with global 60s TTL, silently losing the cursor on restart and causing duplicate event processing

bugSomething isn't workingSomething isn't working

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

refactoringCode restructuring without behavioural changeCode restructuring without behavioural change

Status: Open.

#13 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[MEDIUM] — Horizon HTTP fetches in StellarTransactionsService lack AbortController / request timeout, can block indefinitely on Horizon hangs

bugSomething isn't workingSomething isn't working

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

refactoringCode restructuring without behavioural changeCode restructuring without behavioural change

Status: Open.

#11 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[MEDIUM] — AdminGuard issues a fresh prisma.user.findUnique on every protected request instead of caching role lookups

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

help wantedExtra attention is neededExtra attention is needed

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

refactoringCode restructuring without behavioural changeCode restructuring without behavioural change

Status: Open.

#10 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[MEDIUM] — parseAcceptedAssets silently drops malformed entries instead of rejecting the create/update request

bugSomething isn't workingSomething isn't working

good first issueGood for newcomersGood for newcomers

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

Status: Open.

#9 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[HIGH] — WebSocket gateway declares cors.origin: '*' alongside credentials: true, an invalid combination exploitable depending on proxy configuration

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

refactoringCode restructuring without behavioural changeCode restructuring without behavioural change

securitySecurity vulnerability or hardeningSecurity vulnerability or hardening

Status: Open.

#7 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[HIGH] — GET /campaigns cache key omits page, limit and sortBy, serving identical payloads for vastly different requests

bugSomething isn't workingSomething isn't working

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

Status: Open.

#5 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[HIGH] — EmailService.send logs the full rendered HTML body to console in development; may leak PII into log streams

good first issueGood for newcomersGood for newcomers

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

securitySecurity vulnerability or hardeningSecurity vulnerability or hardening

Status: Open.

#4 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026

[HIGH] — JWT strategy and WebSocket gateway fall back to insecure hardcoded strings when JWT_SECRET is unset, allowing weak-secret boots in any environment

GrantFox OSSIssue tracked in GrantFox OSSIssue tracked in GrantFox OSS

Maybe RewardedIssue may be eligible for a GrantFox rewardIssue may be eligible for a GrantFox reward

Official CampaignAudit finding under the Official CampaignAudit finding under the Official Campaign

refactoringCode restructuring without behavioural changeCode restructuring without behavioural change

securitySecurity vulnerability or hardeningSecurity vulnerability or hardening

Status: Open.

#3 In OrbitChainLabs/OrbitChain-API;

· Alqku opened on Jun 18, 2026