PT-2026-6965 · Opencode · Opencode

Scott Moore

Published

2026-02-08

Updated

2026-03-13

CVE-2026-22182

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions OpenCode (affected versions not specified)

Description The software contains a remote code execution (RCE) issue. The RCE is triggered through command injection within JSON data sent to the AI agent. This allows for the execution of arbitrary commands without relying on traditional prompting techniques.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

DoS

Allocation of Resources Without Limits

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-862

Related Identifiers

CVE-2026-22182

Affected Products

Opencode

PT-2026-6965 · Opencode · Opencode

CVE-2026-22182

Weakness Enumeration

Related Identifiers

Affected Products

References · 10