Finding · openhands

2026-06-24-openhands-dependency-cve-batch-main-unreleased

Index stub for the 2026-06-23..2026-06-24 run. Full receipted detail (what changed, operator implication, accessibility and security consequence, and release-channel status) lives in harvest/watchlist.md, with the curated signal in signals/frontier-signals.yml.

Receipt

https://github.com/OpenHands/OpenHands/pull/14943 (CVE-2026-44727 jupyter-server 2.20.0, dcb840b)
https://github.com/OpenHands/OpenHands/pull/14872 (CVE-2026-49458 dompurify 3.4.6, 0b7d2d4)
https://github.com/OpenHands/OpenHands/pull/14944 (GHSA-6v7p-g79w-8964 msgpack 1.2.1, d9cefcc)
https://github.com/OpenHands/OpenHands/pull/14946 (CVE-2026-45409 idna 3.15, f08e219)
https://github.com/OpenHands/OpenHands/pull/14945 (GHSA-gj48-438w-jh9v bleach 6.4.0, 129584f)

Finding metadata

Confidence: high

Run: 2026-06-24-weekly-digest-2026-06-23_2026-06-24-frontier-v0

Finding ID: 2026-06-24-openhands-dependency-cve-batch-main-unreleased

Accepted signals

OpenHands shipped a five-item dependency-CVE batch to main on 2026-06-23 -- in no tagged release · 2026-06-24

Source links

Primary links, including exact changelog lines when available.

OpenHands
commitgithub.com/OpenHands/OpenHands/pull/14943 commitgithub.com/OpenHands/OpenHands/pull/14872 commitgithub.com/OpenHands/OpenHands/pull/14944 commitgithub.com/OpenHands/OpenHands/pull/14946 commitgithub.com/OpenHands/OpenHands/pull/14945