Unauthenticated remote code execution in OpenCode (cy.md)

OpenCode, an open-source AI coding assistant, is under scrutiny for a serious security vulnerability that allows remote code execution. Prior to version 1.1.10, OpenCode automatically launched an HTTP server at startup without user authentication, which could have been exploited by any web page to execute commands with the user's privileges. Although the server is disabled by default in recent updates, it can still be enabled via configuration, raising significant security concerns if compromised. This vulnerability is crucial for the AI/ML community, particularly for developers relying on the OpenCode platform, as it exposes users to potential attacks from malicious websites or local network devices if the server is running. Even after mitigation measures, such as CORS restrictions introduced in version 1.0.216, vulnerabilities remain unaddressed in all versions concerning unauthorized command execution when the server is enabled. The incident highlights the need for robust security practices in software development, especially in projects utilizing open-source components, where user awareness and safeguards against exploitation are paramount.