Add 3 critical security advisories for hexstrike-ai (0x4m4/hexstrike-ai)

[sermikr0]

Summary

This PR adds 3 critical security advisories for hexstrike-ai (8,200+ stars), an AI-powered cybersecurity toolkit.

All vulnerabilities confirmed with local PoC testing, present in latest version.

Advisories

ID	Vulnerability	CVSS	CWE
GHSA-h3x5-r9c2-qm47	Unauthenticated RCE via /api/command	9.8	CWE-78, CWE-306
GHSA-v7p8-c4f6-jw32	Command Injection in /api/tools/*	9.8	CWE-78
GHSA-w2k9-m5g4-xr86	Path Traversal in /api/files/*	9.8	CWE-22, CWE-306

Details

• Repository: https://github.com/0x4m4/hexstrike-ai
• Affected file: hexstrike_server.py
• Authentication: None required
• Discovery date: 2026-04-20
• Responsible disclosure: Email sent to maintainer (contact@0x4m4.com)

[taladrane]

👋 github/advisory-database is not a venue for disclosing new vulnerabilities, publishing proof‑of‑concepts, or coordinating a report when a vendor is unresponsive. This repository’s purpose is to curate and publish advisory records (e.g., for already-tracked, publicly referenceable vulnerabilities) so ecosystems and tooling can consume consistent metadata. To ensure your report is appropriately handled, please refer to Privately reporting a security vulnerability, which includes instructions for repositories that don't have private vulnerability reporting enabled.

Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!