Bounties
Partners
Community
Info
composiohq / composio
Project repository
Composio equip's your AI agents & LLMs with 100+ high-quality integrations via function calling
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
13 DAYS
FIX
WITHIN
N/A DAYS
@app.get("/api/download") : Path Injection
Apr 14th 2025
shyun020
•
pending
Insecure Temporary File in Composio
Feb 4th 2025
ralph13
•
pending
RCE via malicious pip package
Jan 9th 2025
lyutoon
•
duplicate
Critical
Unauthenticated DoS via multipart boundry
Oct 28th 2024
mnqazi
•
informative
High
server.api Remote Command Injection & Unauthorized File Deletion Vulnerability
Dec 10th 2024
morphykutay
•
duplicate
Critical
Cross-Site Request Forgery (CSRF)
Sep 16th 2024
mnqazi
•
duplicate
High
Local File Inclusion
Sep 17th 2024
mnqazi
•
duplicate
High
server.api Path Traversal
Sep 17th 2024
morphykutay
•
duplicate
High
Dangers subprocess.Popen in SHELLTOOL_SPAWN_PROCESS tool
Sep 16th 2024
12end
•
duplicate
High
Dangers eval in MATHEMATICAL tool
Dec 3rd 2024
12end
•
duplicate
High
Unauthenticated arbitrary file read in api/download
Dec 2nd 2024
r00tuser111
•
duplicate
High
Missing validation step for `x-api-key` lead to authentication bypass
Dec 5th 2024
vtgsxx
•
Critical
•
$900
Critical
•
$900
•
CVE-2024-8954
CVE-2024-8954
Arbitrary File Read via /api/download
Nov 27th 2024
vtgsxx
•
duplicate
High
@app.get("/api/download") : Path Injection
Nov 27th 2024
shyun020
•
duplicate
High
Email Check Bypass via Case Manipulation in "Add Member" Functionality
Nov 26th 2024
elcapitanoo7x
•
not applicable
1-Click Account Takeover via "Add Member" Functionality
Nov 26th 2024
elcapitanoo7x
•
not applicable
Insecure Direct Object Reference (IDOR) in Integration Information
Nov 26th 2024
elcapitanoo7x
•
not applicable
There is an arbitrary file read vulnerability at /api/download.
Nov 26th 2024
aftersnows
•
duplicate
High
Path Traversal Vulnerability in File Search Function
Sep 17th 2024
amdjedbens
•
informative
Medium
Composio's Local tools Mathematical has a code injection risk
Nov 24th 2024
aftersnows
•
duplicate
Critical
Remote Code Execution via POST /api/actions/execute/FILETOOL_GIT_PATCH API end p...
Sep 17th 2024
zpbrent
•
informative
Critical
SSRF via POST /api/actions/execute/WEBTOOL_SCRAPE_WEBSITE_CONTENT and WEBTOOL_SC...
Nov 23rd 2024
zpbrent
•
duplicate
Critical
Remote Code Execution via POST /api/actions/execute/FILETOOL_GIT_CLONE API end p...
Sep 17th 2024
zpbrent
•
duplicate
Critical
Arbitrary File Write via POST /api/actions/execute/FILETOOL_CREATE_FILE + FILETO...
Nov 23rd 2024
zpbrent
•
duplicate
Critical
Local File Read (LFI) via POST /api/actions/execute/FILETOOL_OPEN_FILE API end p...
Sep 16th 2024
zpbrent
•
duplicate
High
Remote Code Execution via POST /api/actions/execute/MATHEMATICAL_CALCULATOR API...
Nov 23rd 2024
zpbrent
•
duplicate
Critical
Remote Code Execution via Dependency Injection in` /api/tools` Endpoint in compo...
Nov 23rd 2024
cyfra07
•
duplicate
Critical
path traversal at API /api/actions/execute/FILETOOL_SEARCH_WORD - Allows attack...
Sep 16th 2024
nam-no
•
duplicate
High
Code Injection
Nov 20th 2024
past3l
•
duplicate
Critical
Code Execution with `/api/tools`
Nov 20th 2024
0gur1
•
duplicate
High
Arbitrary code execution with action `SHELL_EXEC_COMMAND`
Sep 16th 2024
0gur1
•
duplicate
High
Arbitrary File Read/Download vulnerability via Composio Server
Nov 20th 2024
7resp4ss
•
duplicate
High
Path Traversal
Nov 19th 2024
past3l
•
duplicate
High
Code Injection
Nov 19th 2024
past3l
•
duplicate
Critical
Remote Code Execution via Arbitrary Python Code Injection in /api/tools Endpoint
Nov 18th 2024
cyfra07
•
duplicate
Critical
Local File Inclusion (LFI) in /api/download Endpoint Allows Unauthorized File Ac...
Nov 18th 2024
cyfra07
•
duplicate
High
CSRF in /api/apps/update
Sep 16th 2024
hainguyen0207
•
duplicate
Medium
Command Injection in Gitcmdtool
Sep 16th 2024
hainguyen0207
•
informative
Critical
SSRF in BROWSERTOOL
Nov 17th 2024
hainguyen0207
•
Medium
•
$75
Medium
•
$75
•
CVE-2024-8955
CVE-2024-8955
Os Command in api/actions/execute/SHELL_SPAWN_PROCESS
Sep 16th 2024
hainguyen0207
•
duplicate
Critical
Command Injection in SEARCHTOOL
Sep 16th 2024
hainguyen0207
•
informative
Critical
Command Injection in FILEEDITTOOL
Sep 16th 2024
hainguyen0207
•
informative
Critical
Create, Overwrite any file in the system
Nov 22nd 2024
hainguyen0207
•
duplicate
Critical
Local File Inclusion in composio tooling server
Nov 15th 2024
virusday
•
duplicate
High
Path Traversal - Change recent folders, view list contents, any file in FILETOOL
Sep 16th 2024
hainguyen0207
•
informative
High
SSRF in /api/actions/execute/WEBTOOL_SCRAPE_WEBSITE_ELEMENT
Sep 17th 2024
hainguyen0207
•
informative
High
Arbitrary file writing can lead to RCE via FILETOOL_WRITE Action
Nov 15th 2024
vn-ncvinh
•
duplicate
Critical
Unrestricted File write, read, git clone in filetools actions
Nov 22nd 2024
rook1337
•
High
•
$450
High
•
$450
•
CVE-2024-8958
CVE-2024-8958
OS Command Injection in FILETOOL_GIT_CLONE Action
Sep 17th 2024
vn-ncvinh
•
informative
Critical
Remote-Code Exeution via dynamic module importing | Arbitray File Overwrite | Pi...
Nov 15th 2024
retr0reg
•
duplicate
Critical
LFIs at "/api/download"
Sep 17th 2024
retr0reg
•
duplicate
High
Unauthenticated Code execution in shell_exec tools
Sep 16th 2024
rook1337
•
duplicate
Critical
RCE via SHELL_SPAWN_PROCESS Action
Sep 16th 2024
vn-ncvinh
•
informative
Critical
RCE via SHELL_EXEC_COMMAND Action
Sep 16th 2024
vn-ncvinh
•
informative
Critical
SSRF in WEBTOOL_SCRAPE_WEBSITE_CONTENT Action
Nov 14th 2024
vn-ncvinh
•
duplicate
High
RCE through pip install not safe dependencies
Nov 14th 2024
vn-ncvinh
•
duplicate
Critical
Remote Code Execution by calling public API `/api/tools`
Nov 14th 2024
lyutoon
•
duplicate
Critical
Local File Read (LFI) by public API `/api/download`
Nov 14th 2024
lyutoon
•
duplicate
High
RCE via /api/tools
Nov 14th 2024
vn-ncvinh
•
duplicate
Critical
RCE via MATHEMATICAL_CALCULATOR
Nov 14th 2024
vn-ncvinh
•
duplicate
Critical
Unsafe eval usage in mathematical_calculator endpoint
Nov 14th 2024
rook1337
•
High
•
$450
High
•
$450
•
CVE-2024-8953
CVE-2024-8953
Code Injection at API /api/tools
Nov 14th 2024
ngductung
•
duplicate
Critical
Unauthenticated command injection on /api/tools endpoint
Nov 14th 2024
rook1337
•
duplicate
Critical
Remote Code Execution via POST /api/tools API end point
Nov 14th 2024
zpbrent
•
informative
Critical
Unauthenticated path traversal on /api/download feature
Nov 14th 2024
rook1337
•
duplicate
Critical
Site-Wide Cross-Site Request Forgery (CSRF)
Sep 16th 2024
0xanis
•
informative
High
Local File Read (LFI) via GET /api/download API end point
Nov 14th 2024
zpbrent
•
duplicate
High
Remote Code execution via arbitrary python code execution
Nov 14th 2024
winters0x64
•
duplicate
Critical
Code Injection
Nov 14th 2024
0xanis
•
informative
Critical
Local FIle Inclusion
Sep 17th 2024
0xanis
•
duplicate
High
I will update later
Aug 16th 2024
hainguyen0207
•
spam
SSRF in /api/actions/execute/WEBTOOL_SCRAPE_WEBSITE_CONTENT
Nov 14th 2024
hainguyen0207
•
Medium
•
$75
Medium
•
$75
•
CVE-2024-8952
CVE-2024-8952
Path traversal leads to view any files
Sep 17th 2024
fewword
•
duplicate
High
Path Traversal at /api/tools
Sep 16th 2024
kienzx203
•
informative
High
Path Traversal in API `/api/download`
Sep 17th 2024
duongli99
•
informative
High
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
