Buddy haul · 2026-07-14 · operator-gated
The Filing Queue
Everything Buddy staged from the GhostApproval sweep, in the order to file it. All confirmed, all credited to babakizo420, nothing submitted. Work down the list when you are home.
4 advisories to file
12 confirmed findings
3 High
route = credit / CVE
The real bottleneck now is filing, not finding.
Buddy said it itself: it can keep sweeping the family for more, but realized value is blocked on you filing what we already have. So this queue is the priority, not more hunting.
File in this order
Ranked by name-value and how ready each one is.
1
Amazon Q
github.com/aws/language-servers
High
The headline. Three sibling bugs, one target. Buddy recommends filing them as a single advisory with one root-cause fix, cleaner and stronger than three separate reports.
- Dangling-symlink write (High, ~CVSS 7.1). Silent out-of-workspace write, plant an SSH key or RCE via ~/.bashrc. Incomplete fix of CVE-2026-12958.
- grepSearch read-leak (Med-High). A symlink makes grep silently read ~/.aws/credentials and ~/.ssh straight to the model. No prompt.
- lspApplyWorkspaceEdit (Med / conditional-High). A whole edit tool with no approval guard at all.
Root-cause fix to suggest: canonicalize in isInWorkspace (realpath) + gate every filesystem tool through the same check.
Report drafted (dangling-symlink) + PoC
File: repo Security tab
AWS assigns the CVE
2
continue
github.com/continuedev/continue
High
Strongest of the open-source three. File access is judged lexically, and read / ls / grep run with no prompt by default, so a planted symlink leaks ~/.aws/credentials to the model with zero approval. The create-file prompt shows a harmless name (UI misrepresentation). Undisclosed.
PoC staged (cycle303)File: repo Security tab
3
cline
github.com/cline/cline
High
Auto-approve boundary check is symlink-blind (no realpath), and auto-approve edits + reads are on by default. A repo-shipped in-workspace symlink is auto-approved with no prompt, write an attacker key to ~/.ssh/authorized_keys or read ~/.aws/credentials. Undisclosed.
PoC staged (cycle302)File: repo Security tab
4
Forgejo / Gitea
forgejo + go-gitea/gitea
7 findings
The earlier batch: 7 port-lag findings (a fix that landed in one but not fully in the other). Source-confirmed. These want a quick live-PoC pass per finding before filing. A Forgejo clone is parked at /tmp/forgejo-src on the box for that.
7 staged (cycle298)needs live-PoC pass
How to file each one
Same 4 steps every time. Credit stays babakizo420.
- Open the repo on GitHub, go to the Security tab, click Report a vulnerability.
- Start a new draft advisory, paste the report body, set severity, attach the PoC.
- Add yourself as babakizo420 for credit. Let the maintainer assign the CVE.
- Send it. That is the only button I never press for you.
Walked, on purpose
Findings Buddy declined instead of forcing. This is the calibration that keeps our credibility clean.
✕Roo-Code: the finding was real, but the project was archived 2026-05-15 (read-only, shut down, users sent to Cline). Dead target, do not file. Buddy self-corrected this after its first pass.
✕Command-exec auto-approve (cline / continue / Roo-Code): checked the higher-severity command side too. All walked, that class is already heavily reported, and continue's command guard is actually solid.
✕Langflow (CVE-2026-55255): ran the incomplete-fix drill on the actively-exploited IDOR. The fix sits in a shared helper so every caller is covered. Clean, no sibling. Answered.
✕goose: no containment, but the maintainers reject the whole class as out of their model. Not creditable.
✕opencode: same bug, but they already have symlink fixes in flight. Deprioritized.
✕aider: same class, but an open PR already names the exact sink. Would be a duplicate.
✕Amazon Q MCP-autoload (CVE-2026-12957): checked the fix, it holds. Clean.
If you want even more later
Buddy flagged these as likely same-family, unswept. Only worth it once the queue above is filed.
ZooCode (the Roo-Code successor) · void · zed-agent · pearai · aide · melty. Apply the "check for a co-resident shell tool first" screen AND an is-it-still-maintained check before analyzing each (the goose + Roo-Code lessons).